feat(catalog): add red-team extension to community catalog#2306
feat(catalog): add red-team extension to community catalog#2306mnriem merged 4 commits intogithub:mainfrom
Conversation
Adds the `red-team` community extension to the catalog: - Adversarial review of functional specs before /speckit.plan locks in architecture. - Complements /speckit.clarify (correctness) and /speckit.analyze (consistency) with parallel adversarial lens agents. - One command: speckit.red-team.run - MIT licensed; requires spec-kit >= 0.7.0. Origin: this extension was originally proposed as a core command (github#2303). Per maintainer guidance (mnriem's comment on that PR), it's been restructured as a community extension hosted at https://github.com/ashbrener/spec-kit-red-team. Dogfood-validated on a 500-line functional spec: 5 lens agents dispatched in parallel returned 25 findings in ~1.5 min wall-clock, 19 of which met the meaningful-finding bar (severity >= HIGH AND novel adversarial angle that clarify/analyze structurally cannot catch). Full detail in the extension's CHANGELOG.
There was a problem hiding this comment.
Pull request overview
Adds the new red-team community extension entry to the community extension reference catalog so users can discover it via catalog.community.json.
Changes:
- Bumped community catalog
updated_attimestamp. - Added a new
extensions.red-teamentry (metadata, URLs, requirements, tags).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Resolves Copilot review comment on github#2306. Previous description (259 chars) exceeded the extensions/EXTENSION-PUBLISHING-GUIDE.md Appendix schema ceiling. Shortened to 188 chars, keeping the distinctive value proposition (adversarial, complements clarify/analyze) and moving the per-phase mechanics to the extension's own README.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Follow-up to v1.0.0 catalog entry: - version: 1.0.0 -> 1.0.1 - download_url: points at v1.0.1 release asset - requires.speckit_version: >=0.7.0 -> >=0.1.0 The v1.0.0 requirement was too strict and blocked installation on common 0.6.x field versions (confirmed via local install attempt). The extension uses no 0.7.x-specific APIs; matches community norm (reconcile, refine, others use >=0.1.0).
There was a problem hiding this comment.
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 1/1 changed files
- Comments generated: 2
There was a problem hiding this comment.
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 1/1 changed files
- Comments generated: 0 new
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
v1.0.2 ships a /speckit.red-team.gate command wired as a mandatory before_plan hook so /speckit.plan auto-invokes it on every run against qualifying specs. Non-qualifying specs return PROCEED silently; qualifying specs without findings on record return HALT with explicit remediation (run /speckit.red-team.run, or opt out via --skip-red-team-gate: <reason> which is recorded as an Accepted Risk [red-team-skipped] in the plan). Catalog metadata delta: - version: 1.0.1 -> 1.0.2 - download_url: v1.0.2/red-team-v1.0.2.zip - provides.commands: 1 -> 2 (adds speckit.red-team.gate) - provides.hooks: 0 -> 1 (adds before_plan hook) No breaking changes. Projects that do not want the gate simply do not install the extension.
There was a problem hiding this comment.
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 1/1 changed files
- Comments generated: 1
|
Thank you! |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "red-team": { | ||
| "name": "Red Team", | ||
| "id": "red-team", | ||
| "description": "Adversarial review of functional specs before /speckit.plan. Parallel adversarial lens agents catch hostile actors, silent failures, and regulatory blind spots that clarify/analyze cannot.", | ||
| "author": "Ash Brener", | ||
| "version": "1.0.2", | ||
| "download_url": "https://github.com/ashbrener/spec-kit-red-team/releases/download/v1.0.2/red-team-v1.0.2.zip", | ||
| "repository": "https://github.com/ashbrener/spec-kit-red-team", | ||
| "homepage": "https://github.com/ashbrener/spec-kit-red-team", | ||
| "documentation": "https://github.com/ashbrener/spec-kit-red-team/blob/main/README.md", | ||
| "changelog": "https://github.com/ashbrener/spec-kit-red-team/blob/main/CHANGELOG.md", | ||
| "license": "MIT", | ||
| "requires": { | ||
| "speckit_version": ">=0.1.0" | ||
| }, | ||
| "provides": { | ||
| "commands": 2, | ||
| "hooks": 1 | ||
| }, | ||
| "tags": [ | ||
| "adversarial-review", | ||
| "quality-gate", | ||
| "spec-hardening", | ||
| "pre-plan", | ||
| "audit" | ||
| ], | ||
| "verified": false, | ||
| "downloads": 0, | ||
| "stars": 0, | ||
| "created_at": "2026-04-22T00:00:00Z", | ||
| "updated_at": "2026-04-22T00:00:00Z" | ||
| }, |
There was a problem hiding this comment.
This PR adds a new entry to extensions/catalog.community.json, but it doesn’t update the root README.md “Community Extensions” table. The extension publishing guide expects both changes in the same PR so the human-readable table stays in sync with the catalog (see extensions/EXTENSION-PUBLISHING-GUIDE.md around the “Update Community Extensions Table” section). Please add a Red Team row in alphabetical order with the repo link.
|
@ashbrener Can you open a follow up PR to also list it in the table as mentioned above? |
Follow-up to #2306 (merged). Per maintainer request (#2306 (comment)), adds the red-team entry to the alphabetically-ordered community-extensions table in README.md so the extension is discoverable alongside the other community entries — not only via catalog.community.json. Slotted alphabetically between "Reconcile Extension" and "Repository Index". Category: docs. Effect: Read+Write (produces a structured findings-report file at specs/<feature-id>/red-team-findings-*.md; does not modify specs — every resolution is maintainer-authorised). Co-authored-by: Ash Brener <ashley@midletearth.com>
Summary
Adds the
red-teamcommunity extension toextensions/catalog.community.jsonfor discovery.Extension repo: https://github.com/ashbrener/spec-kit-red-team
Release: https://github.com/ashbrener/spec-kit-red-team/releases/tag/v1.0.2
Install model (important)
catalog.community.jsonis discovery-only (install_allowed: falsein the default catalog stack — seeextensions/EXTENSION-USER-GUIDE.md§Extension Catalogs andextensions/RFC-EXTENSION-SYSTEM.md§Default Built-in Stack). Merging this PR makes the extension visible tospecify extension search, butspecify extension add <name>against the community catalog is NOT the expected install path.End users install the extension via one of:
.specify/extension-catalogs.ymlthat overrides the defaultinstall_allowed: false.The PR's value is discoverability —
specify extension search red-teamsurfaces the entry, andspecify extension info red-teamreturns the metadata (repo, docs, homepage, changelog, version, release asset URL), pointing users to the install-ready release. This is the intended role ofcatalog.community.jsonper the RFC.What the extension does
Adversarial review of functional specs before
/speckit.planlocks in architecture. Complements/speckit.clarify(correctness) and/speckit.analyze(consistency) with parallel adversarial lens agents./speckit.clarify/speckit.analyze/speckit.red-team.run(new extension)/speckit.red-team.gate(new extension,before_planhook)/speckit.planif a qualifying spec has no findings on recordClarify and analyze are structurally incapable of surfacing certain classes of issue — prompt injection in untrusted LLM inputs, self-approval segregation-of-duties gaps in workflows that are internally consistent, race conditions at configuration-change boundaries, cross-spec drift between cooperating halves of an interface contract, missing audit-chain integrity on "immutable" records. The red team adds an adversarial layer.
speckit.red-team.run+speckit.red-team.gate(2 commands, 1 hook)Origin
Originally proposed as a core command (#2303). Per @mnriem's maintainer direction — comment on #2303:
This PR delivers on that direction: the protocol has been restructured as a community extension in its own public repo (ashbrener/spec-kit-red-team), released at v1.0.2, and this PR adds the entry to the community catalog for discovery via
specify extension search.The command body and design also incorporate two rounds of Copilot review feedback from #2303 (dot-notation alignment, CLI contract hygiene, inline error-message shapes, US spelling, threshold consistency, simplified interactivity model). All 10 review threads on #2303 are resolved.
Versioning note
requires.speckit_version: ">=0.7.0".">=0.1.0"(v1.0.0 requirement was overly conservative; extension uses no 0.7.x-specific API surface; confirmed via local install verification). Matches community norm used byreconcile,refine, and other catalog entries.speckit.red-team.gatecommand and a mandatorybefore_planhook./speckit.planauto-invokes the gate on every run; non-qualifying specs returnPROCEEDsilently; qualifying specs with findings on record returnSATISFIED; qualifying specs without findings returnHALTwith explicit remediation options. Closes the Principle-VIII enforcement gap that left the protocol reliant on maintainer memory.The catalog entry in this PR reflects v1.0.2 metadata.
Dogfood validation
The protocol was validated against real 500-line + 1,400-line functional specs in a private project before this PR. Two red team sessions (RT-005 on the triage engine, RT-002 on the project's anchor PRD) dispatched five adversary agents in parallel and returned 25 findings each in ~2 min wall-clock — well under the 30-min soft target. In both sessions, ≥ 75% of findings met the "meaningful finding" bar: severity ≥ HIGH AND represents an adversarial scenario clarify/analyze structurally cannot catch. Notable catches include a cross-spec identifier-type drift between two halves of the same interface contract introduced by a separate commit 1 hour earlier, a hallucinated-extraction defect that defeated a downstream citation-verification hardening layer, and four parallel "immutable" storage claims with no storage-layer enforcement.
Test plan
specify extension search red-teamonce catalog is live (discovery path — the primary value of this PR)specify extension add --from https://github.com/ashbrener/spec-kit-red-team(verified locally against spec-kit 0.6.2 for v1.0.1; same code path for v1.0.2)/speckit.red-team.runand/speckit.red-team.gateregister, and thebefore_planhook auto-invokes/speckit.red-team.gateon next/speckit.planrunRelated
🤖 Generated with Claude Code