SkillAgentSearch skills...

Speclock

AI Constraint Engine by Sandeep Roy — stops AI from breaking what you locked. 100/100 on Claude's adversarial test suite. 42 MCP tools. Works with Bolt.new, Lovable, Claude Code, Cursor. Free & open source.

GenerateConvertImprove

Install / Use

/learn @sgroy10/Speclock
About this skill

Quality Score

0/100

Supported Platforms

Claude Code
Claude Desktop
Cursor

README

<p align="center"> <img src="https://img.shields.io/badge/🔒-SpecLock-000000?style=for-the-badge&labelColor=000000&color=4F46E5" alt="SpecLock" height="40" /> </p> <h3 align="center">Your AI keeps breaking things you told it not to touch.<br/>SpecLock makes it stop.</h3> <p align="center"> <a href="https://www.npmjs.com/package/speclock"><img src="https://img.shields.io/npm/v/speclock.svg?style=flat-square&color=4F46E5" alt="npm version" /></a> <a href="https://www.npmjs.com/package/speclock"><img src="https://img.shields.io/npm/dm/speclock.svg?style=flat-square&color=22C55E" alt="npm downloads" /></a> <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/license-MIT-blue.svg?style=flat-square" alt="MIT License" /></a> <a href="https://modelcontextprotocol.io"><img src="https://img.shields.io/badge/MCP-49_tools-green.svg?style=flat-square" alt="MCP 49 tools" /></a> </p> <p align="center"> <img src="https://img.shields.io/badge/drift_score-12%2F100-brightgreen.svg?style=flat-square" alt="Drift Score" /> <img src="https://img.shields.io/badge/lock_coverage-83%25-brightgreen.svg?style=flat-square" alt="Lock Coverage" /> <img src="https://img.shields.io/badge/lock_strength-85%2F100-brightgreen.svg?style=flat-square" alt="Lock Strength" /> </p> <p align="center"> <a href="https://sgroy10.github.io/speclock/">Website</a> · <a href="https://www.npmjs.com/package/speclock">npm</a> · <a href="https://smithery.ai/servers/sgroy10/speclock">Smithery</a> · <a href="https://github.com/sgroy10/speclock">GitHub</a> </p> <p align="center"><strong>Developed by <a href="https://github.com/sgroy10">Sandeep Roy</a></strong> · Free &amp; Open Source (MIT License)</p>

New in v5.4: speclock drift — the only tool that measures how much your AI has drifted from your architecture. speclock coverage — find what's unprotected. speclock strengthen — grade your locks. Three numbers that tell your project's whole story.

You:    "Never touch the auth system"
AI:     🔒 Locked.

         ... 5 sessions later ...

You:    "Add social login to the login page"
AI:     ⚠️  BLOCKED — violates lock "Never touch the auth system"
        Matched: auth → authentication (synonym), login → auth (concept)
        Confidence: 100%
        Should I find another approach?

100/100 on Claude's independent test suite. 929 tests across 18 suites. 0 false positives. 15.7ms per check. Gemini Flash hybrid, Spec Compiler, Code Graph, Typed Constraints, Python SDK, ROS2 integration.

Install

npx speclock setup --goal "Build my app"

That's it. One command. Works everywhere — Bolt.new, Claude Code, Cursor, Lovable, Windsurf, Cline, Aider.

The Problem

AI coding tools have memory now. Claude Code has CLAUDE.md. Cursor has .cursorrules. Mem0 exists.

But memory without enforcement is useless.

Your AI remembers you use PostgreSQL — then switches to MongoDB because it "seemed better." Your AI remembers your auth setup — then rewrites it while "fixing" a bug. You said "never touch the payment logic" 3 sessions ago — the AI doesn't care.

Remembering is not respecting. No existing tool stops the AI from breaking what you locked.

How It Works

You set constraints. SpecLock enforces them — across sessions, across tools, across teams.

speclock lock "Never modify auth files"           → auto-guards src/auth/*.ts
speclock lock "Database must stay PostgreSQL"      → catches "migrate to MongoDB"
speclock lock "Never delete patient records"       → catches "clean up old data"
speclock lock "Don't touch the payment flow"       → catches "streamline checkout"

The semantic engine doesn't do keyword matching. It understands:

  • "clean up old data" = deletion (euphemism detection)
  • "streamline checkout" = modify payment flow (synonym + concept mapping)
  • "temporarily disable logging" = disable logging (temporal evasion detection)
  • "Update UI and also drop the users table" = hidden violation (compound splitter)

And it knows what's safe:

  • "Enable audit logging" when the lock says "Never disable audit logging" → no conflict (intent alignment)

Quick Start by Platform

Bolt.new / Aider / Any npm Platform

npx speclock setup --goal "Build my app" --template nextjs

Creates SPECLOCK.md, injects rules into package.json, generates .speclock/context/latest.md. The AI reads these automatically.

Claude Code

Add to .mcp.json:

{
  "mcpServers": {
    "speclock": {
      "command": "npx",
      "args": ["-y", "speclock", "serve", "--project", "."]
    }
  }
}

Cursor / Windsurf / Cline

Same config — add to .cursor/mcp.json or equivalent.

Lovable (No Install)

  1. Go to Settings → Connectors → New MCP server
  2. Enter URL: https://speclock-mcp-production.up.railway.app/mcp
  3. Paste project instructions into Knowledge

Why SpecLock Over Alternatives?

| | Claude Memory | Mem0 | .cursorrules | SpecLock | |---|:---:|:---:|:---:|:---:| | Remembers context | Yes | Yes | Manual | Yes | | Blocks the AI from breaking things | No | No | No | Yes | | Semantic conflict detection | No | No | No | 100/100 score, 0% FP | | Tamper-proof audit trail | No | No | No | HMAC-SHA256 chain | | Hard enforcement (AI cannot proceed) | No | No | No | Yes | | SOC 2 / HIPAA compliance exports | No | No | No | Yes | | Encrypted storage (AES-256-GCM) | No | No | No | Yes | | RBAC + API key auth | No | No | No | 4 roles | | Policy-as-Code DSL | No | No | No | YAML rules | | Works on Bolt.new, Lovable, etc. | No | No | No | Yes |

Other tools remember. SpecLock enforces.

Universal Rules Sync (v5.3)

One command syncs your SpecLock constraints to every AI coding tool:

speclock sync --all

SpecLock Sync Complete
  ✓ Cursor             → .cursor/rules/speclock.mdc
  ✓ Claude Code        → CLAUDE.md
  ✓ AGENTS.md          → AGENTS.md (Linux Foundation standard)
  ✓ Windsurf           → .windsurf/rules/speclock.md
  ✓ GitHub Copilot     → .github/copilot-instructions.md
  ✓ Gemini             → GEMINI.md
  ✓ Aider              → .aider.conf.yml

7 file(s) synced. Your AI tools will now see SpecLock constraints.

Stop maintaining 3 separate rules files. Define constraints once in SpecLock, sync everywhere.

speclock sync --format cursor    # Sync to Cursor only
speclock sync --preview claude   # Preview without writing
speclock sync --list             # Show all supported formats

Incident Replay (v5.3)

Flight recorder for your AI coding sessions. See exactly what happened:

speclock replay

Session: ses_a1b2c3 (claude-code, 47 min)
────────────────────────────────────────────
14:02  [ALLOW]   Create user profile component
14:08  [ALLOW]   Add form validation
14:15  [WARN]    Simplify authentication flow
                 → matched lock: "Never modify auth"
14:23  [BLOCK]   Clean up old user records
                 → euphemism detected: "clean up" = deletion
14:31  [ALLOW]   Update landing page hero section

Score: 5 events | 3 allowed | 1 warned | 1 BLOCKED

speclock replay --list           # List available sessions
speclock replay --session <id>   # Replay specific session

Safety Templates (v5.3)

Pre-built constraint packs for common scenarios:

speclock template apply safe-defaults   # 5 locks — "Vibe Coding Seatbelt"
speclock template apply solo-founder    # 3 locks — auth, payments, data
speclock template apply hipaa           # 8 locks — HIPAA healthcare
speclock template apply api-stability   # 6 locks — API contract protection

Safe Defaults prevents the 5 most common AI disasters:

  1. Database deletion
  2. Auth removal
  3. Secret exposure
  4. Error handling removal
  5. Logging disablement

One command. Instant protection. npx speclock setup --template safe-defaults

Drift Score (v5.4)

How much has your AI-built project drifted from your original intent? Only SpecLock can answer this — because only SpecLock knows what was intended vs what was done.

$ speclock drift

Drift Score: 23/100 (B) — minor drift
Trend: improving | Period: 30 days | Active locks: 8

Signal Breakdown:
  Violations:      6/30  (4 violations in 12 checks)
  Overrides:       5/20  (1 override)
  Reverts:         3/15  (1 revert detected)
  Lock churn:      0/15  (0 removed, 3 added)
  Goal stability:  0/10  (1 goal change)
  Session gaps:    9/10  (3/5 unsummarized)

README badge: ![Drift Score](https://img.shields.io/badge/drift_score-23%2F100-brightgreen.svg)

Put the badge in your README. Show the world your AI respects your architecture.

Lock Coverage Audit (v5.4)

SpecLock scans your codebase and tells you what's unprotected:

$ speclock coverage

Lock Coverage: 60% (B) — partially protected

  [COVERED] CRITICAL authentication   2 file(s)
  [EXPOSED] CRITICAL payments         1 file(s)
  [COVERED] CRITICAL secrets          0 file(s)
  [COVERED] HIGH     api-routes       2 file(s)

Suggested Locks (ready to apply):
  1. [CRITICAL] payments (1 file at risk)
     speclock lock "Never modify payment processing or billing without permission"

Like a security scanner, but for AI constraint gaps. Solo founders building fast don't know what they haven't protected — SpecLock tells them.

Lock Strengthener (v5.4)

Your locks might be too vague. SpecLock grades each one and suggests improvements:

$ speclock strengthen

Lock Strength: 72/100 (B) — 3 strong, 1 weak

[WEAK  ] 45/100 (D)  "don't touch auth"
          Issue: Too vague — short locks miss edge cases
          Issue: No specific scope
          Suggested: "Never modify, refactor, or delete auth..."

[STRONG] 90/100 (A)  "Never expose API keys in client-side code, logs, or error messages"

sgroy10

View profile

View on GitHub
GitHub Stars20
CategoryDevelopment
Updated4h ago
Forks4
sgroy10/speclock

Languages

JavaScript

Security Score

95/100

Audited on Apr 7, 2026

No findings