catalog: add tekimax-security community extension (v0.3.1)#2215
catalog: add tekimax-security community extension (v0.3.1)#2215kaman1 wants to merge 1 commit intogithub:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds the TEKIMAX Secure SDD community extension (tekimax-security) to the Spec Kit community extensions catalog so users can discover and install it via the standard catalog mechanism.
Changes:
- Bump
extensions/catalog.community.jsontop-levelupdated_at. - Add a new
tekimax-securityentry with metadata (repo/docs/download URL, version, tags, requires/provides).
Show a summary per file
| File | Description |
|---|---|
| extensions/catalog.community.json | Adds the new community extension entry and updates catalog timestamp metadata. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 1/1 changed files
- Comments generated: 1
mnriem
left a comment
mnriem
left a comment
There was a problem hiding this comment.
Please address Copilot feedback and make sure to also add a row in the Community extension section in the main README (alphabetically ordered)
|
Bumped this PR to v0.2.6 (commit
Release notes: https://github.com/TEKIMAX/speckit-security/releases/tag/v0.2.6 The catalog |
There was a problem hiding this comment.
Pull request overview
Adds a new community extension entry to extensions/catalog.community.json for TEKIMAX Secure SDD and updates the catalog’s top-level updated_at timestamp.
Changes:
- Bumped
extensions/catalog.community.jsontop-levelupdated_at. - Added a new
tekimax-securityextension entry (metadata, download URL, tags, provides/requires).
Show a summary per file
| File | Description |
|---|---|
| extensions/catalog.community.json | Updates catalog timestamp and registers the new tekimax-security community extension entry. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 1/1 changed files
- Comments generated: 1
| "version": "0.2.6", | ||
| "download_url": "https://github.com/TEKIMAX/speckit-security/archive/refs/tags/v0.2.6.zip", | ||
| "repository": "https://github.com/TEKIMAX/speckit-security", |
There was a problem hiding this comment.
PR description states the release being added is v0.2.5, but the catalog entry sets version to 0.2.6 and the download_url points at the v0.2.6 tag. Please make these consistent (either update the PR description/verification links to v0.2.6, or change the catalog entry back to v0.2.5) so consumers download the intended release.
mnriem
left a comment
mnriem
left a comment
There was a problem hiding this comment.
Can you update the PR description and then we should be good to go
Reflects the v0.3.1 release in the community-catalog entry so the spec-kit catalog maintainers see current content when reviewing PR github/spec-kit#2215. - version: 0.3.0 → 0.3.1 - commands_count: 8 → 9 (dep-audit added) - description: mention polyglot scan and Gate G - PR-BODY.md: rewritten for v0.3.1 (Gate G, polyglot, anchored allowlist, recursive .env, --staged-only / --json flags) No behavior changes. Release artifacts (CHANGELOG, README, tag v0.3.1, GitHub release) already reflect v0.3.1.
Reflects the v0.3.1 release in the community-catalog entry so the spec-kit catalog maintainers see current content when reviewing PR github/spec-kit#2215. - version: 0.3.0 → 0.3.1 - commands_count: 8 → 9 (dep-audit added) - description: mention polyglot scan and Gate G - PR-BODY.md: rewritten for v0.3.1 (Gate G, polyglot, anchored allowlist, recursive .env, --staged-only / --json flags) No behavior changes. Release artifacts (CHANGELOG, README, tag v0.3.1, GitHub release) already reflect v0.3.1.
Adds the TEKIMAX Secure SDD extension to extensions/catalog.community.json and the Community Extensions table in README.md (alphabetical, between Superpowers Bridge and TinySpec per maintainer guidance on PR github#2215). Catalog entry: - version: 0.3.1 (current shipped release) - created_at == updated_at == 2026-04-16 (first-publish timestamps match per Copilot review feedback on PR github#2215) - download_url points at the v0.3.1 release tag - provides: 9 commands, 5 hooks - license: Apache-2.0 Repo: https://github.com/TEKIMAX/speckit-security Release: https://github.com/TEKIMAX/speckit-security/releases/tag/v0.3.1 Addresses github#2215 review comments (@mnriem, @copilot-pull-request-reviewer): - README row added in Community Extensions section (alphabetical). - created_at / updated_at on the entry match on first publish. - PR description, catalog entry version, and download_url are consistent at v0.3.1.
kaman1
force-pushed
the
add-tekimax-security-extension
branch
from
78472d0 to
a24efbd
Compare
kaman1
changed the title
There was a problem hiding this comment.
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 2
| "tekimax-security": { | ||
| "name": "TEKIMAX Secure SDD", | ||
| "id": "tekimax-security", | ||
| "description": "Security-first extension for Spec Kit — threat modeling (STRIDE), red teaming, AI guardrails, data contracts, model governance, polyglot inline-content scan, dependency CVE scan (Gate G via osv-scanner / pnpm / npm / yarn), and project-root-confined scripts with tamper-evident hash-chain audit logs.", |
There was a problem hiding this comment.
The catalog schema/publishing guide requires description to be brief (<200 chars). This new entry’s description is far longer and likely to violate the documented schema; please shorten it to a concise summary and move detail to README/docs.
| "description": "Security-first extension for Spec Kit — threat modeling (STRIDE), red teaming, AI guardrails, data contracts, model governance, polyglot inline-content scan, dependency CVE scan (Gate G via osv-scanner / pnpm / npm / yarn), and project-root-confined scripts with tamper-evident hash-chain audit logs.", | |
| "description": "Security-first Spec Kit extension for threat modeling, AI guardrails, compliance, and secure development workflows.", |
| "created_at": "2026-04-16T00:00:00Z", | ||
| "updated_at": "2026-04-16T00:00:00Z" |
There was a problem hiding this comment.
created_at/updated_at for a newly published extension are expected to use the current timestamp (per the Extension Publishing Guide). These are set to midnight (...T00:00:00Z) rather than the actual publish time; please update them to the current time (and keep them equal on first publish).
| "created_at": "2026-04-16T00:00:00Z", | |
| "updated_at": "2026-04-16T00:00:00Z" | |
| "created_at": "2026-04-16T18:40:00Z", | |
| "updated_at": "2026-04-16T18:40:00Z" |
mnriem
left a comment
mnriem
left a comment
There was a problem hiding this comment.
Please address Copilot feedback
Summary
Adds a
catalog.community.jsonentry and a Community Extensions README row for TEKIMAX Secure SDD (speckit-security), an Apache-2.0 Spec Kit extension that layers security gates onto the spec-driven development lifecycle.Files changed
extensions/catalog.community.json— newtekimax-securityentry (alphabetical, betweensyncandtinyspec); top-levelupdated_atbumped.README.md— new row in the Community Extensions table (alphabetical, between Superpowers Bridge and TinySpec).What the extension adds for Spec Kit users
9 slash commands under
speckit.tekimax-security.*:data-contract— declare sources, schemas, PII strategy, bias audit, drift thresholdsthreat-model— generate a STRIDE threat model for the active specmodel-governance— pin model version, define eval baselines, rollback planguardrails— generate versioned system prompt + guardrail YAMLgate-check— run all seven gates against the active spec, emit verdictaudit— post-implementation scan (inline prompts, secrets, direct SDK imports) — polyglot (TS/JS/Py/Go/Rust/Ruby/Java/Kotlin/Swift/PHP/Sh/YAML/JSON/TOML/TF/MD)dep-audit— dependency CVE scan (Gate G) viaosv-scanner/pnpm/npm/yarnred-team— generate adversarial scenarios;--runhits staging with safety guardsinstall-rules— install development rules into docs, constitution, and agent context5 phase hooks:
after_specifydata-contractafter_planthreat-modelbefore_implementgate-checkafter_implementauditbefore_analyzered-teamSeven gates (A–G) run via
gate-check.sh: Data Contract, Threat Model, Model Governance, Guardrails, Red Team, Inline Content Scan (polyglot), Dependency CVEs (new in v0.3.1).Highlights (why v0.3.1)
osv-scannerpreferred, falls back topnpm audit/npm audit/yarn npm audit. Threshold-gated viadep_audit.fail_on(low|moderate|high|critical).audit.include_globs/audit.exclude_paths./boundary + file-extension append;src/ai/gatewayno longer silently matchessrc/ai/gateway-bypass.ts..envdetection —apps/*/.env,packages/*/.env.local;.env.example/.sample/.templateremain allowed.--staged-onlyand--jsonflags onaudit.sh,gate-check.sh,dep-audit.shfor pre-commit and CI.require_inside_project), JSONL injection prevention (jsonl_append), tamper-evident hash chain (jsonl_append_chained), Gate B STRIDE content-row check, Gate D numeric rate-limit / cost-ceiling check.Review feedback addressed
created_atandupdated_atshould match on first publish." → Both set to2026-04-16T00:00:00Z.Verification
extensions/catalog.community.jsonis valid JSON (python3 -m json.tool)sync/Superpowers Bridge andtinyspec/TinySpec)created_at == updated_aton the new entry0.3.1matchesextension.yml, the release tag, and thedownload_urlgithub/spec-kit:mainLinks
Compatibility
Requires
speckit_version >= 0.1.0.