registry  /  spec-first  /  1.13.0

spec-first@1.13.0

AI Coding Harness for Claude Code, Codex, Kiro, Qoder, and Cursor generated-runtime preview — turns one-off AI coding chats into a repo-backed, verifiable engineering loop for spec-driven development. Scripts prepare facts; LLMs decide; evidence stays in

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is an AI coding harness that explicitly installs first-party workflow assets and hooks into project-scoped Claude/Codex runtime paths when the user runs `spec-first init`.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `spec-first init` or selected CLI commands/startup reminders; npm install alone has no lifecycle trigger.
Impact
Installs workflow guidance/hooks under project runtime directories; version checks contact project/npm metadata endpoints. No unconsented install-time mutation, payload execution, credential theft, or destructive behavior was confirmed.
Mechanism
First-party AI-agent runtime setup plus package-aligned version checks
Rationale
Source inspection shows a package-aligned developer workflow tool with explicit user-invoked AI-agent runtime setup and bounded startup/version reminders. Because there are no lifecycle hooks, import-time side effects, credential collection, arbitrary remote payload execution, or unconsented broad control-surface mutations, this is not malicious; the agent-extension behavior is expected product functionality.
Evidence
package.jsonbin/spec-first.jssrc/cli/index.jssrc/cli/commands/init.jssrc/cli/adapters/claude.jssrc/cli/adapters/codex.jssrc/cli/claude-settings.jssrc/cli/helpers/context-bundle.jssrc/cli/version-reminder.jstemplates/codex/hooks/session-starttemplates/codex/hooks/hooks.jsontemplates/claude/hooks/session-start.claude/settings.json.claude/hooks/session-start.claude/hooks/spec-plan-guard.claude/hooks/prd-prewrite-guard.claude/hooks/prd-readiness-guard.codex/hooks.json.codex/hooks/session-start.codex/hooks/session-start.cmd.agents/skills/**.codex/agents/**
Network endpoints3
raw.githubusercontent.com/sunrain520/spec-first/main/package.jsonregistry.npmjs.org/<package>/latestgithub.com/sunrain520/spec-first

Decision evidence

public snapshot
AI called this Clean at 89.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • Explicit `spec-first init` plans writes to `.claude/settings.json`, `.claude/hooks/*`, `.codex/hooks.json`, `.codex/hooks/*`, `.agents/skills`, and `.codex/agents`.
  • Generated SessionStart hooks execute bundled CLI `startup-reminder` and inject workflow guidance into Claude/Codex sessions.
  • `src/cli/version-reminder.js` fetches latest version metadata from GitHub/raw npm registry during selected CLI commands/startup reminders.
Evidence against
  • `package.json` has no preinstall/install/postinstall/prepare lifecycle scripts; install alone does not mutate agent control surfaces.
  • CLI entry `bin/spec-first.js` only checks Node version then dispatches user-provided commands.
  • Runtime control-surface writes are tied to explicit `spec-first init`/clean flows with preview/confirmation or `-y`, not import-time execution.
  • Context-bundle child process use is limited to `git rev-parse --show-toplevel` and rejects outside-repo paths by realpath checks.
  • No credential harvesting or exfiltration flow found in inspected entrypoints, helpers, or hook templates.
  • Network endpoints are package-aligned version/help/update metadata, not arbitrary payload download/execute.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 140 file(s), 1.42 MB of source, external domains: github.com, raw.githubusercontent.com, registry.npmjs.org

Source & flagged code

3 flagged · loading source
bin/spec-first.jsView file
4(function () { L5: const { ensureSupportedNodeVersion } = require('../src/cli/node-version'); L6:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/spec-first.jsView on unpkg · L4
templates/codex/hooks/session-start.cmdView file
path = templates/codex/hooks/session-start.cmd kind = build_helper sizeBytes = 92 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/codex/hooks/session-start.cmdView on unpkg
src/cli/helpers/context-bundle.jsView file
matchType = previous_version_dangerous_delta matchedPackage = spec-first@1.12.1 matchedIdentity = npm:c3BlYy1maXJzdA:1.12.1 similarity = 0.842 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/cli/helpers/context-bundle.jsView on unpkg

Findings

1 High5 Medium5 Low
HighPrevious Version Dangerous Deltasrc/cli/helpers/context-bundle.js
MediumDynamic Requirebin/spec-first.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/codex/hooks/session-start.cmd
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings