Reproducible Spec-Driven Development for Codex — in one command.
Turn any Git repository into a tested GitHub Spec Kit + Codex workspace with pinned inputs, reusable skills, GitHub issue automation, and a lockfile you can replay.
Note
speckit-bootstrap is a community project. It builds on the official
GitHub Spec Kit, but it isn't affiliated
with or endorsed by GitHub.
Spec-Driven Development is powerful. Keeping its CLI, workflows, extensions, agent skills, project policy, and tracker integration aligned by hand isn't.
speckit-bootstrap turns that moving toolchain into one idempotent command:
speckit-bootstrap .| Without bootstrap | With speckit-bootstrap |
|---|---|
| Install and wire every component manually | One command installs or refreshes the complete stack |
| “Latest” changes underneath you | Every resolved tag, commit, source, and payload digest is locked |
| Drift appears during implementation | --doctor detects drift before work starts |
| Upgrades leave noisy or partial state | Changes are staged, validated, and applied atomically |
| Agent and GitHub conventions vary by project | Reusable Codex skills and issue canon are installed consistently |
| Rollback means reconstructing an old setup | --frozen replays and verifies the recorded dependency set |
You need macOS or Ubuntu with git, curl, python3, and
uv. You also need the codex CLI unless you run
bootstrap with --skip-ponytail.
curl -fsSL https://raw.githubusercontent.com/yshishenya/speckit-bootstrap/main/install.sh | bashThe installer resolves the latest GitHub Release, downloads the executable and its SHA-256 file, verifies the checksum and shell syntax, and installs it atomically at:
~/.local/bin/speckit-bootstrap
Make sure ~/.local/bin is on your PATH, then verify the installation:
export PATH="$HOME/.local/bin:$PATH"
speckit-bootstrap --versionRe-run the installer at any time to update. To install a specific release:
curl -fsSL https://raw.githubusercontent.com/yshishenya/speckit-bootstrap/main/install.sh |
SPECKIT_BOOTSTRAP_VERSION=v0.7.0 bashTip
Prefer to inspect scripts before running them? Download
install.sh, review it locally, and run it with bash.
For a new repository:
mkdir my-project
cd my-project
git init
speckit-bootstrap .For an existing repository:
cd /path/to/project
speckit-bootstrap .The first successful run creates or refreshes:
.specify/
.specify/speckit-bootstrap.lock.json
AGENTS.md
docs/agent-guidance/
.github/ISSUE_TEMPLATE/
.github/pull_request_template.md
~/.agents/skills/speckit-*
Review the diff before committing the generated project baseline.
speckit-bootstrap . --doctor--doctor is read-only. It checks the installed CLI source, locked workflow,
extension payloads, Ponytail state, project guidance, and every managed global
skill digest. A healthy installation reports speckit-bootstrap: doctor OK.
- Official Spec Kit, pinned. The latest official
v*tag is resolved to its immutable commit SHA before installation. - Codex-native workflows. Generated
speckit-*skills are synchronized to~/.agents/skillsand project-local duplicates are removed by default. - Reproducible refreshes. The lock records versions, commit refs, source URLs, workflow hashes, extension trees, and managed skill digests.
- Safe GitHub tracking. The bundled
github-issue-canoninstalls structured issue forms, a pull request template, validation hooks, and closeout rules. - Ponytail integration. Codex owns the
Ponytailplugin lifecycle while bootstrap pins its source and keeps project guidance current. - Respect for user-owned state. Existing catalogs, unrelated skills, guidance, and GitHub templates are preserved.
- Fail-closed validation. Version drift, checksum drift, missing managed files, and tampered executable agent inputs stop the run.
- Clean Git diffs. Refresh-only Spec Kit install metadata is hidden from normal diffs while behavioral project changes stay visible.
flowchart LR
A["speckit-bootstrap ."] --> B["Official GitHub Spec Kit<br/>tag resolved to commit SHA"]
A --> C["Codex skills<br/>~/.agents/skills"]
A --> D["GitHub issue canon<br/>templates + hooks"]
A --> E["Ponytail plugin<br/>pinned source + guidance"]
B --> F["Reproducibility lock"]
C --> F
D --> F
E --> F
F --> G["Post-install verification"]
The bootstrap never changes upstream repositories. It applies explicit, reviewable managed sections to generated project files, stages global skill updates before swapping them, and restores the previous state when a managed replacement fails.
The default non-frozen run intentionally starts from current stable releases:
- Resolve the latest approved release tags.
- Resolve each tag to an immutable commit.
- Install and validate the workflow, extensions, plugin, and skills.
- Record exact sources and payload digests in
.specify/speckit-bootstrap.lock.json. - Verify the completed installation before reporting success.
Later, replay that contract without resolving new versions:
speckit-bootstrap . --frozenFrozen mode preserves the lock and fails if locked executable inputs have drifted.
Use the fast path when you start work or want to refresh integrations:
# Preview versions and planned mutations.
speckit-bootstrap . --dry-run --json
# Apply the refresh.
speckit-bootstrap .
# Verify the result without writing.
speckit-bootstrap . --doctorThen use the normal Spec Kit skills in Codex:
$speckit-specify
$speckit-clarify
$speckit-plan
$speckit-checklist
$speckit-tasks
$speckit-analyze
$speckit-taskstoissues
$speckit-implement
$speckit-clarify, $speckit-checklist, and $speckit-analyze are quality
gates you can apply according to risk. Use $speckit-taskstoissues for tracked
feature work with a GitHub remote; skip it for read-only, documentation-only,
or tiny direct changes.
When task-to-issue synchronization runs, the installed extension automatically:
- ensures the repository's issue canon files and labels before sync;
- validates open Spec Kit issues after sync;
- keeps
tasks.mdas the implementation source of truth; - links implementation, pull request, validation, and closeout evidence.
Important
The bundled GitHub issue and pull request governance is Russian-first by default. This is an intentional project convention and is documented in the generated agent guidance.
This project is deliberately more than a package installer. It installs a reviewable development policy intended to keep agents, repository artifacts, and external tracking aligned:
- Git auto-commit is enabled after completed documentation stages:
constitution,specify,clarify,plan,checklist,tasks, andanalyze. - Every
before_*hook,after_implement, andafter_taskstoissuesstays disabled. Implementation code and external tracker changes remain explicit. tasks.mdis the implementation source of truth. GitHub Issues are the external execution, review, and closeout tracker.- Tracked issue titles follow
[<feature>][<priority>][<area>] T###: <Russian outcome>. - Generated plan and task templates require an explicit risk and validation lane before implementation.
- Product applications and deployed services use CalVer; reusable tools and libraries use SemVer.
- Ponytail shapes implementation behavior but doesn't weaken the selected
validation lane. Review installed hooks with
/hooksafter installation or upgrade.
Managed policy sections remain visible in the project diff. User-owned content outside those sections is preserved.
speckit-bootstrap [PROJECT_DIR] [OPTIONS]
| Option | Effect |
|---|---|
--doctor |
Verify project and user state without changing it |
--dry-run |
Resolve inputs and print the mutation plan only |
--version |
Print the bootstrap version and exit |
--frozen |
Use and verify versions from the project lock |
--json |
Reserve stdout for one machine-readable result |
--keep-local-skills |
Keep generated project-local skill duplicates |
--skip-cli-update |
Use the currently installed specify CLI |
--skip-ponytail |
Skip Ponytail plugin and guidance updates |
-h, --help |
Show complete command help |
Useful recipes:
# Fast refresh without reinstalling specify-cli.
speckit-bootstrap . --skip-cli-update
# Pin or roll back official Spec Kit, then write a new lock.
SPEC_KIT_VERSION=vX.Y.Z speckit-bootstrap .
# Try the current official Spec Kit main branch.
SPEC_KIT_VERSION=main speckit-bootstrap .
# Keep refresh-only install metadata visible for an audit or release.
SPECKIT_TRACK_INSTALL_METADATA=1 speckit-bootstrap .
# Run in a headless environment without Codex/Ponytail.
speckit-bootstrap . --skip-ponytail| Variable | Purpose |
|---|---|
SPEC_KIT_VERSION |
Spec Kit tag or ref; defaults to the latest v* tag |
SPECKIT_EXTENSION_CATALOG_URL |
Override the approved extension catalog |
SPECKIT_GITHUB_ISSUE_CANON_VERSION |
Pin the issue-canon release tag |
SPECKIT_GITHUB_ISSUE_CANON_URL |
Use an explicitly reviewed custom ZIP |
SPECKIT_PONYTAIL_VERSION |
Pin the Ponytail release tag |
SPECKIT_PONYTAIL=0 |
Disable Ponytail plugin and guidance operations |
SPECKIT_TRACK_INSTALL_METADATA=1 |
Expose refresh-only metadata in Git diffs |
SPECKIT_BOOTSTRAP_INSTALL_DIR |
Installer target; defaults to ~/.local/bin |
SPECKIT_BOOTSTRAP_VERSION |
Bootstrap release tag; defaults to latest |
SPECKIT_BOOTSTRAP_URL |
Use a custom installer payload source |
SPECKIT_BOOTSTRAP_SHA256 |
Required checksum for a custom payload source |
SPECKIT_BOOTSTRAP_ALLOW_UNVERIFIED=1 |
Emergency opt-in for a reviewed unverified source |
Run speckit-bootstrap --help for the authoritative interface.
Required:
gitcurlpython3uv
The codex CLI is required when Ponytail is enabled. Use --skip-ponytail in
headless environments.
The maintained compatibility matrix is:
- macOS with the system Bash 3.2;
- Ubuntu with Bash 5.
Other Unix-like environments may work but aren't part of the current CI gate.
The project treats generated agent instructions as executable supply-chain inputs, not harmless documentation.
- Release installation verifies the executable against its published SHA-256.
- External release tags are resolved to immutable commits.
- The issue-canon release asset is verified against the catalog checksum.
- Ponytail's managed marketplace descriptor pins its plugin source to a commit.
- Lock schema v2 captures complete extension and managed-skill trees.
- GitHub Actions are pinned by full commit SHA and audited with
zizmor. - CI tests Bash syntax, ShellCheck, isolated units, workflow security, and live bootstrap behavior on macOS and Ubuntu.
See SECURITY.md for private vulnerability reporting and complete trust boundaries.
Run the fast local gate:
bash tests/ci-local.shRun the pinned end-to-end bootstrap smoke test:
SPEC_KIT_VERSION=v0.12.15 \
SPECKIT_GITHUB_ISSUE_CANON_VERSION=v0.3.1 \
bash tests/smoke-live.shGitHub runs the full functional gate once on each pull request, across macOS and Ubuntu. Merging unchanged code doesn't repeat the same CI. Tag-driven releases package the exact tested commit without rerunning functional CI, while a separate weekly canary detects new upstream incompatibilities.
Read CONTRIBUTING.md before opening a pull request and check CHANGELOG.md for release history.
If speckit-bootstrap saves you setup time:
- star the repository so other Spec Kit and Codex users can find it;
- share the quick-start link with teams adopting Spec-Driven Development;
- open an issue with a reproducible bug or a concrete workflow improvement;
- contribute a focused pull request with validation evidence.
The most useful contribution is a real project story: what you bootstrapped, what manual work disappeared, and where the workflow still got in your way.
Released under the MIT License.