specky-sdd 2.0.0 → 2.2.2

package/hooks/security-scan.md

@@ -0,0 +1,72 @@
+---
+name: security-scan
+description: "Run security checklist against OWASP Top 10 and validate authentication patterns"
+trigger: "before PR merge / after implementation"
+model: claude-haiku-3.5
+enabled: true
+---
+
+# Security Scan Hook
+
+Validates implementation against OWASP Top 10 vulnerabilities, secrets detection, and authentication patterns before merge or deployment.
+
+## Trigger Event
+
+- PR submitted or marked as ready for review
+- Implementation phase complete (TASK_STATUS = `implemented`)
+- Pre-deployment verification requested
+
+## Execution Steps
+
+1. **Read implementation** from modified code files
+2. **Scan for secrets** — API keys, tokens, credentials (regex patterns)
+3. **Check OWASP Top 10** categories:
+   - A1: Broken Access Control
+   - A2: Cryptographic Failures
+   - A3: Injection
+   - A4: Insecure Design
+   - A5: Security Misconfiguration
+   - A6: Vulnerable Components
+   - A7: Auth Failures
+   - A8: Data Integrity
+   - A9: Logging/Monitoring
+   - A10: SSRF
+4. **Validate auth patterns** — JWT, OAuth, session handling
+5. **Generate report** in SECURITY_SCAN.md
+
+## Output Format
+
+```markdown
+# Security Scan Report
+
+Scanned: [files count]
+Timestamp: [ISO]
+Status: [PASS / WARNINGS / BLOCKED]
+
+## Secrets Detected
+- [list or "None found"]
+
+## OWASP Findings
+- A1: [risk level] - [finding]
+- A3: [risk level] - [finding]
+
+## Auth Pattern Review
+- JWT validation: [status]
+- Error messages: [no credential leaks? Y/N]
+
+## Recommendations
+1. [action]
+```
+
+## Model Configuration
+
+- **Model:** claude-haiku-3.5 (fast, security-focused)
+- **Temperature:** 0.1 (conservative, no false negatives)
+- **Max tokens:** 2500
+
+## Notes
+
+- BLOCKED status prevents merge; WARNINGS require acknowledgment
+- Use community security patterns (OWASP cheatsheets)
+- Flag custom crypto or auth implementations for manual review
+- Store scan reports in `reports/security/`

package/hooks/spec-sync.md

@@ -0,0 +1,80 @@
+---
+name: spec-sync
+description: "Compare implementation against SPECIFICATION.md and DESIGN.md; flag drift"
+trigger: "after code changes"
+model: claude-haiku-3.5
+enabled: true
+---
+
+# Spec-Sync Hook
+
+Continuously validates that implementation matches specification and design documents. Flags any divergence and suggests updates to either code or specs.
+
+## Trigger Event
+
+- Code changes in `src/`, `lib/`, or `app/`
+- SPECIFICATION.md or DESIGN.md modified
+- Manual sync check requested
+
+## Execution Steps
+
+1. **Read specification** from SPECIFICATION.md (acceptance criteria, requirements)
+2. **Read design** from DESIGN.md (architecture, interfaces, algorithms)
+3. **Read implementation** from changed code files
+4. **Map acceptance criteria** to code sections
+5. **Check for drift**:
+   - Missing implementations vs. spec
+   - Extra features not in spec (scope creep)
+   - Design changes not reflected in code
+   - Code changes not reflected in design docs
+6. **Generate SYNC_REPORT.md** with findings
+
+## Output Format
+
+```markdown
+# Spec-Sync Report
+
+Generated: [ISO timestamp]
+Comparison: SPECIFICATION.md ↔ DESIGN.md ↔ Implementation
+
+## Status Summary
+- Total Criteria: [N]
+- Implemented: [N]
+- Pending: [N]
+- Drifted: [N]
+
+## Drift Analysis
+
+### Missing Implementations
+- [spec criterion] → [file] → NOT FOUND
+
+### Extra Implementations
+- [code feature] → [file] → NOT IN SPEC
+
+### Design Drift
+- [design doc] conflicts with [code] in [file]
+
+## Recommended Actions
+1. [action to realign spec or code]
+```
+
+## Traceability Matrix
+
+Each finding includes a trace ID linking:
+- Spec requirement ID
+- Design section reference
+- Code file location
+- Status (implemented / pending / drifted)
+
+## Model Configuration
+
+- **Model:** claude-haiku-3.5 (precision)
+- **Temperature:** 0.2 (objective comparison)
+- **Max tokens:** 3000
+
+## Notes
+
+- This hook is the "source of truth" for spec-code alignment
+- Run before every PR merge
+- Store reports in `reports/traceability/`
+- Do not modify code or specs; only report drift

package/hooks/srp-validator.md

@@ -0,0 +1,86 @@
+---
+name: srp-validator
+description: "Validate Single Responsibility Principle; flag files/functions doing too much"
+trigger: "after code changes"
+model: claude-haiku-3.5
+enabled: true
+---
+
+# SRP Validator Hook
+
+Validates code against the Single Responsibility Principle (SRP) after every change. Flags functions and files that do too much and suggests decomposition.
+
+## Trigger Event
+
+- Code changes in `src/`, `lib/`, or `app/`
+- New function added (>50 lines or >5 responsibilities detected)
+- New file added (>200 lines)
+- Manual SRP audit requested
+
+## Execution Steps
+
+1. **Analyze changed functions** — extract responsibilities
+2. **Count responsibilities** using heuristics:
+   - Number of reasons to change (spec dependencies)
+   - Cyclomatic complexity (decision branches)
+   - Function length (lines of code)
+   - Parameter count
+3. **Flag violations**:
+   - Functions with >1 domain responsibility
+   - Files with >3 related responsibilities
+   - Utility files with >10 unrelated functions
+4. **Generate suggestions** for decomposition
+5. **Write SRP_REPORT.md** with findings
+
+## Output Format
+
+```markdown
+# SRP Validator Report
+
+Analyzed: [file count], [function count]
+Timestamp: [ISO]
+Violations: [count]
+
+## Violations
+
+### [file.js] - Line [N]
+**Function:** \`functionName()\`
+**Responsibilities:**
+1. [responsibility 1 - spec dependency]
+2. [responsibility 2 - spec dependency]
+3. [responsibility 3 - spec dependency]
+
+**Metrics:**
+- Lines: [N]
+- Complexity: [N]
+- Parameters: [N]
+
+**Suggestion:**
+Extract into:
+- \`validateInput()\` — handles validation
+- \`processData()\` — handles transformation
+
+## SRP Score
+Overall: [percent] violations of SRP
+```
+
+## Responsibility Detection
+
+Scans for:
+- Multiple spec sections referenced
+- Multiple error conditions or branches
+- Multiple domain concepts (parsing + validation + logging)
+- Multiple external dependencies injected
+
+## Model Configuration
+
+- **Model:** claude-haiku-3.5 (structural analysis)
+- **Temperature:** 0.2 (objective measurement)
+- **Max tokens:** 2000
+
+## Notes
+
+- SRP violations are warnings, not blockers (allow override with `@srp-skip` comment)
+- Store reports in `reports/code-quality/`
+- Use this hook to guide refactoring, not mandate it
+- High complexity functions should be reviewed manually regardless of line count

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "specky-sdd",
-  "version": "2.0.0",
+  "version": "2.2.2",
   "description": "Specky — The open-source MCP server for Spec-Driven Development (SDD). Transforms natural language into production-grade specifications with EARS notation, architecture design, and quality gates.",
   "type": "module",
   "main": "dist/index.js",
@@ -12,12 +12,19 @@
     "build": "tsc && node -e \"const fs=require('fs');const f='dist/index.js';const c=fs.readFileSync(f,'utf8');if(!c.startsWith('#!'))fs.writeFileSync(f,'#!/usr/bin/env node\\n'+c)\" && chmod +x dist/index.js",
     "start": "node dist/index.js",
     "dev": "tsx watch src/index.ts",
-    "clean": "rm -rf dist"
+    "clean": "rm -rf dist",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage"
   },
   "files": [
     "dist/",
     "templates/",
+    "references/",
+    "hooks/",
     "README.md",
+    "CHANGELOG.md",
+    "SECURITY.md",
     "LICENSE"
   ],
   "engines": {
@@ -43,11 +50,13 @@
   "homepage": "https://github.com/paulasilvatech/specky#readme",
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.6.1",
-    "zod": "^3.23.8"
+    "zod": "^4.3.6"
   },
   "devDependencies": {
-    "@types/node": "^22.10.0",
+    "@types/node": "^25.5.0",
+    "@vitest/coverage-v8": "^4.1.0",
     "tsx": "^4.19.2",
-    "typescript": "^5.7.2"
+    "typescript": "^5.7.2",
+    "vitest": "^4.1.0"
   }
 }