Skip to content

Add tekimax-security to community catalog#2200

Open
kaman1 wants to merge 1 commit intogithub:mainfrom
kaman1:add-tekimax-security
Open

Add tekimax-security to community catalog#2200
kaman1 wants to merge 1 commit intogithub:mainfrom
kaman1:add-tekimax-security

Conversation

@kaman1
Copy link
Copy Markdown

@kaman1 kaman1 commented Apr 13, 2026

Adds tekimax-security (TEKIMAX Secure SDD) to the community catalog.

What it does

tekimax-security is a security-first extension that plugs into Spec Kit's hook system and adds security gates to the SDD lifecycle. It catches AI technical debt at the point where it's cheapest to fix — in the spec, before code exists.

Gate Phase Catches
Data Contract SPECIFY Unvetted sources, unprotected PII, undeclared schemas, hidden bias, drift
Threat Model DESIGN STRIDE coverage, unmitigated high/critical threats
Model Governance DESIGN Unpinned versions, missing rollback plans, no eval baselines
Guardrails SPECIFY/IMPLEMENT Inline prompts, missing input validation, no output redaction
Red Team VERIFY Automated adversarial scenarios executed against staging
Inline Content Scan IMPLEMENT Committed secrets, direct SDK imports outside the gateway layer

It provides 7 commands and 5 hooks wired into after_specify, after_plan, before_implement, after_implement, and before_analyze. It ships an automated red-team runner that parses scenarios and executes them against a staging endpoint with safety guards (refuses prod URLs, rate-limited, injects an X-Red-Team header), then classifies responses and writes a JSONL trace for audit.

The extension is stack-agnostic — it enforces the existence of security controls (AI gateway, guardrails, PII encryption, RBAC, schema validation) without requiring specific vendors.

Why this fills a gap

Spec Kit excels at turning specifications into code. The existing security-review extension in the catalog is a 3-command, 0-hook post-implementation code audit. tekimax-security is different: it's a lifecycle-wide gate system that enforces security controls at every SDD phase transition via hooks, and includes proactive STRIDE threat modeling, model governance gating, and an automated red-team runner.

Verification

  • extension.yml validates against the spec-kit schema
  • Installs cleanly via specify extension add --dev and registers all 7 commands
  • All commands appear in .claude/skills/speckit-tekimax-security-*
  • Gate-check script tested end-to-end (pass + block scenarios)
  • Post-impl audit script tested (catches inline prompts and committed secrets)
  • Red-team runner tested with scenario parsing and safety guards
  • .extensionignore excludes dev-only files
  • Cross-platform POSIX bash — tested on macOS and Linux
  • Apache-2.0 license included
  • SECURITY.md, CONTRIBUTING.md, CODE_OF_CONDUCT.md present

Links

Compatibility

Requires speckit_version >= 0.1.0. Tested against 0.6.2.

Contact

Happy to iterate on formatting, wording, or the catalog entry structure if anything's off. Thanks for shipping the extension API — it's genuinely a great surface to build on.

Add tekimax-security to community catalog
5d71cfb 
Adds an entry for TEKIMAX Secure SDD, a security-first extension
that wires threat modeling (STRIDE), data contracts, AI guardrails,
model governance, automated red teaming, and post-implementation
audit into Spec Kit's hook system.

- 7 slash commands across SPECIFY / DESIGN / IMPLEMENT / VERIFY
- 5 phase hooks: after_specify, after_plan, before_implement,
  after_implement, before_analyze
- Apache-2.0 licensed
- Repository: https://github.com/TEKIMAX/speckit-security
@kaman1 kaman1 requested a review from mnriem as a code owner April 13, 2026 09:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mnriem mnriem Awaiting requested review from mnriem mnriem is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kaman1