Your AI keeps breaking things you told it not to touch. SpecLock makes it stop. Website · npm · Smithery · GitHub Developed by Sandeep Roy · Free & Open Source (MIT License) 100/100 on Claude's independent test suite. 929 tests across 18 suites. 0 false positives. 15.7ms per check. Gemini Flash hybrid, Spec Compiler, Code Graph, Typed Constraints, Python SDK, ROS2 integration. That's it. One c
Add this skill
npx mdskills install sgroy10/speclockSophisticated MCP server providing semantic constraint enforcement with excellent security features and comprehensive tooling
Your AI keeps breaking things you told it not to touch. SpecLock makes it stop.
Website · npm · Smithery · GitHub
Developed by Sandeep Roy · Free & Open Source (MIT License)
You: "Never touch the auth system"
AI: 🔒 Locked.
... 5 sessions later ...
You: "Add social login to the login page"
AI: ⚠️ BLOCKED — violates lock "Never touch the auth system"
Matched: auth → authentication (synonym), login → auth (concept)
Confidence: 100%
Should I find another approach?
100/100 on Claude's independent test suite. 929 tests across 18 suites. 0 false positives. 15.7ms per check. Gemini Flash hybrid, Spec Compiler, Code Graph, Typed Constraints, Python SDK, ROS2 integration.
npx speclock setup --goal "Build my app"
That's it. One command. Works everywhere — Bolt.new, Claude Code, Cursor, Lovable, Windsurf, Cline, Aider.
AI coding tools have memory now. Claude Code has CLAUDE.md. Cursor has .cursorrules. Mem0 exists.
But memory without enforcement is useless.
Your AI remembers you use PostgreSQL — then switches to MongoDB because it "seemed better." Your AI remembers your auth setup — then rewrites it while "fixing" a bug. You said "never touch the payment logic" 3 sessions ago — the AI doesn't care.
Remembering is not respecting. No existing tool stops the AI from breaking what you locked.
You set constraints. SpecLock enforces them — across sessions, across tools, across teams.
speclock lock "Never modify auth files" → auto-guards src/auth/*.ts
speclock lock "Database must stay PostgreSQL" → catches "migrate to MongoDB"
speclock lock "Never delete patient records" → catches "clean up old data"
speclock lock "Don't touch the payment flow" → catches "streamline checkout"
The semantic engine doesn't do keyword matching. It understands:
And it knows what's safe:
npx speclock setup --goal "Build my app" --template nextjs
Creates SPECLOCK.md, injects rules into package.json, generates .speclock/context/latest.md. The AI reads these automatically.
Add to .mcp.json:
{
"mcpServers": {
"speclock": {
"command": "npx",
"args": ["-y", "speclock", "serve", "--project", "."]
}
}
}
Same config — add to .cursor/mcp.json or equivalent.
https://speclock-mcp-production.up.railway.app/mcp| Claude Memory | Mem0 | .cursorrules | SpecLock | |
|---|---|---|---|---|
| Remembers context | Yes | Yes | Manual | Yes |
| Blocks the AI from breaking things | No | No | No | Yes |
| Semantic conflict detection | No | No | No | 100/100 score, 0% FP |
| Tamper-proof audit trail | No | No | No | HMAC-SHA256 chain |
| Hard enforcement (AI cannot proceed) | No | No | No | Yes |
| SOC 2 / HIPAA compliance exports | No | No | No | Yes |
| Encrypted storage (AES-256-GCM) | No | No | No | Yes |
| RBAC + API key auth | No | No | No | 4 roles |
| Policy-as-Code DSL | No | No | No | YAML rules |
| Works on Bolt.new, Lovable, etc. | No | No | No | Yes |
Other tools remember. SpecLock enforces.
Not keyword matching — real semantic analysis with Gemini Flash hybrid for universal domain coverage. Scored 100/100 on Claude's independent adversarial test battery (7 suites, including false positives, question framing, patch gateway, and diff analysis).
CategoryDetectionExample Direct violations100%"Delete the auth module" vs lock "Never modify auth" Euphemistic attacks100%"Clean up old patient data" = deletion Temporal evasion100%"Temporarily disable MFA" = disable MFA Dilution attacks100%Violation buried in multi-part request Compound sentences100%"Update UI and also drop users table" Synonym substitution100%"Sunset the API" = remove the API Payment brand names (11 gateways)100%"Add Razorpay" / "Implement PayU" vs "Must use Stripe" Salary/payroll cross-vocab100%"Optimize salary" vs "Payroll records locked" Safety system bypass100%"Disable safety interlock" = bypass safety Unknown domains (via Gemini)100%Gaming, biotech, aerospace, music, legal Safe actions (true negatives)0% FP"Change the font" correctly passes auth locks
Under the hood: 65+ synonym groups · 80+ euphemism mappings · domain concept maps (fintech, e-commerce, IoT, healthcare, SaaS, payments, gaming, telecom, government) · intent classifier · compound sentence splitter · temporal evasion detector · verb tense normalization · UI cosmetic detection · safe-intent patterns · passive voice parsing — all in pure JavaScript. Gemini Flash hybrid for grey-zone cases ($0.01/1000 checks).
Two modes:
Advisory (default): AI gets a warning, decides what to do
Hard mode: AI is BLOCKED — MCP returns isError, AI cannot proceed
speclock enforce hard # Enable hard mode — violations above threshold are blocked
speclock override "JIRA-1234: approved by CTO" (logged to audit trail)speclock auth create-key --role developer --name "CI Bot"
# → sk_speclock_a1b2c3... (shown once, stored as SHA-256 hash)
| Role | Read | Write Locks | Override | Admin |
|---|---|---|---|---|
viewer | Yes | — | — | — |
developer | Yes | — | With reason | — |
architect | Yes | Yes | Yes | — |
admin | Yes | Yes | Yes | Yes |
export SPECLOCK_ENCRYPTION_KEY="your-secret"
speclock encrypt # Encrypts brain.json + events.log at rest
PBKDF2 key derivation (100K iterations). Authenticated encryption. HIPAA 2026 compliant.
Every event gets an HMAC-SHA256 hash chained to the previous event. Modify anything — the chain breaks.
$ speclock audit-verify
✓ Audit chain VALID — 247 events, 0 broken links, no tampering detected.
speclock export --format soc2 # SOC 2 Type II report (JSON)
speclock export --format hipaa # HIPAA PHI protection report
speclock export --format csv # All events for auditor spreadsheets
Declarative YAML rules for organization-wide enforcement:
# .speclock/policy.yml
rules:
- name: "HIPAA PHI Protection"
match:
files: ["**/patient/**", "**/medical/**"]
actions: [delete, modify, export]
enforce: block
severity: critical
- name: "No direct DB mutations"
match:
files: ["**/models/**"]
actions: [delete]
enforce: warn
severity: high
Import and export policies between projects. Share constraint templates across your organization.
Paste a PRD, README, or architecture doc — SpecLock extracts all constraints automatically:
Input: "We're building a fintech app. Use React and FastAPI.
Never touch the auth module. Response time must stay
under 200ms. Payments go through Stripe."
Output: 2 text locks:
- "Never touch the auth module"
- "Payments go through Stripe — don't change provider"
1 typed lock:
- response_time_ms
Memory — goal, locks, decisions, notes, deploy facts
| Tool | What it does |
|------|-------------|
| `speclock_init` | Initialize SpecLock in project |
| `speclock_get_context` | Full context pack (the key tool) |
| `speclock_set_goal` | Set project goal |
| `speclock_add_lock` | Add constraint + auto-guard files |
| `speclock_remove_lock` | Soft-delete a lock |
| `speclock_add_decision` | Record architectural decision |
| `speclock_add_note` | Add pinned note |
| `speclock_set_deploy_facts` | Record deploy config |
Enforcement — conflict detection, hard blocking, overrides
| Tool | What it does |
|------|-------------|
| `speclock_check_conflict` | Semantic conflict check against all locks |
| `speclock_set_enforcement` | Switch advisory/hard mode |
| `speclock_override_lock` | Override with reason (audit logged) |
| `speclock_override_history` | View override audit trail |
| `speclock_semantic_audit` | Analyze git diff against locks |
| `speclock_detect_drift` | Scan for constraint violations |
| `speclock_audit` | Audit staged files pre-commit |
Tracking & Sessions — changes, events, session continuity
| Tool | What it does |
|------|-------------|
| `speclock_session_briefing` | Start session + full briefing |
| `speclock_session_summary` | End session + record summary |
| `speclock_log_change` | Log a change with files |
| `speclock_get_changes` | Recent tracked changes |
| `speclock_get_events` | Full event log (filterable) |
| `speclock_checkpoint` | Git tag for rollback |
| `speclock_repo_status` | Branch, commit, diff summary |
Intelligence — suggestions, health, templates, reports
| Tool | What it does |
|------|-------------|
| `speclock_suggest_locks` | AI-powered lock suggestions |
| `speclock_health` | Health score + multi-agent timeline |
| `speclock_apply_template` | Apply constraint template |
| `speclock_report` | Violation stats + most tested locks |
Enterprise — audit, compliance, policy, telemetry
| Tool | What it does |
|------|-------------|
| `speclock_verify_audit` | Verify HMAC chain integrity |
| `speclock_export_compliance` | SOC 2 / HIPAA / CSV reports |
| `speclock_policy_evaluate` | Evaluate policy rules |
| `speclock_policy_manage` | CRUD for policy rules |
| `speclock_telemetry` | Opt-in usage analytics |
Typed Constraints — numerical, range, state, temporal (v5.0)
| Tool | What it does |
|------|-------------|
| `speclock_add_typed_lock` | Add typed constraint (numerical/range/state/temporal) |
| `speclock_check_typed` | Check proposed values against typed constraints |
| `speclock_list_typed_locks` | List all typed constraints |
| `speclock_update_threshold` | Update typed lock thresholds |
Spec Compiler & Code Graph — NL→constraints, dependency analysis (v5.0)
| Tool | What it does |
|------|-------------|
| `speclock_compile_spec` | Compile natural language into structured constraints |
| `speclock_build_graph` | Build/refresh code dependency graph |
| `speclock_blast_radius` | Calculate blast radius of file changes |
| `speclock_map_locks` | Map locks to actual code files |
Patch Gateway & AI Patch Firewall — change review, diff analysis (v5.1/v5.2)
| Tool | What it does |
|------|-------------|
| `speclock_review_patch` | ALLOW/WARN/BLOCK verdict for proposed changes |
| `speclock_review_patch_diff` | Diff-native review with signal scoring + unified verdict |
| `speclock_parse_diff` | Parse unified diff into structured changes (debug/inspect) |
---
## CLI
```bash
# Setup
speclock setup --goal "Build my app" --template nextjs
# Constraints
speclock lock "Never modify auth files" --tags auth,security
speclock lock remove
speclock check "Add social login" # Test before doing
# Enforcement
speclock enforce hard # Block violations
speclock override "JIRA-1234" # Override with reason
# Audit & Compliance
speclock audit-verify # Verify HMAC chain
speclock export --format soc2 # Compliance report
speclock audit-semantic # Semantic pre-commit
# Git
speclock hook install # Pre-commit hook
speclock audit # Audit staged files
# Templates
speclock template apply nextjs # Pre-built constraints
speclock template apply security-hardened
# Auth
speclock auth create-key --role developer
speclock auth rotate-key
# Policy
speclock policy init # Create policy.yml
speclock policy evaluate --files "src/auth/*" # Test against rules
Full command reference: npx speclock help
When you lock something, SpecLock finds related files and injects a warning the AI sees when it opens them:
speclock lock "Never modify auth files"
→ Auto-guarded 2 files:
🔒 src/components/Auth.tsx
🔒 src/contexts/AuthContext.tsx
The AI opens the file and sees:
// ============================================================
// SPECLOCK-GUARD — DO NOT MODIFY THIS FILE
// LOCKED: Never modify auth files
// ONLY "unlock" or "remove the lock" is permission to edit.
// ============================================================
┌──────────────────────────────────────────────────┐
│ AI Tool (Claude Code, Cursor, Bolt.new...) │
└────────────┬──────────────────┬──────────────────┘
│ │
MCP Protocol (42 tools) npm File-Based
│ (SPECLOCK.md + CLI)
│ │
┌────────────▼──────────────────▼──────────────────┐
│ SpecLock Core Engine │
│ │
│ Semantic Engine ─── 65+ synonym groups │
│ HMAC Audit ──────── SHA-256 hash chain │
│ Enforcer ────────── advisory / hard block │
│ Auth + RBAC ─────── 4 roles, API keys │
│ AES-256-GCM ─────── encrypted at rest │
│ Policy DSL ──────── YAML rules │
│ Compliance ──────── SOC 2, HIPAA, CSV │
│ SSO ─────────────── Okta, Azure AD, Auth0 │
└──────────────────────┬───────────────────────────┘
│
.speclock/
├── brain.json (project memory)
├── events.log (HMAC audit trail)
├── policy.yml (policy rules)
├── auth.json (API keys — gitignored)
└── context/
└── latest.md (AI-readable context)
3 npm dependencies. Zero runtime dependencies for the semantic engine. Pure JavaScript.
| Variable | Default | Description |
|---|---|---|
SPECLOCK_API_KEY | — | API key for authenticated access |
SPECLOCK_ENCRYPTION_KEY | — | Enables AES-256-GCM encryption at rest |
SPECLOCK_NO_PROXY | false | Set true for heuristic-only mode (~250ms). Skips the Gemini proxy (~2s) |
SPECLOCK_LLM_KEY | — | Your own LLM API key (Gemini/OpenAI/Anthropic) |
GEMINI_API_KEY | — | Google Gemini API key for hybrid conflict detection |
SPECLOCK_TELEMETRY | false | Opt-in anonymous usage analytics |
Tip: The heuristic engine alone scores 95%+ accuracy at ~250ms. The Gemini proxy adds cross-domain coverage but takes ~2s. For fastest response, set
SPECLOCK_NO_PROXY=true.
Pre-publish gate runs all 18 suites before every npm publish. If any test fails, publish is blocked.
| Suite | Tests | Pass Rate | What it covers |
|---|---|---|---|
| Real-World Testers | 111 | 100% | 5 developers, 30+ locks, diverse domains |
| Adversarial Conflict | 46 | 100% | Euphemisms, temporal evasion, compound sentences |
| Phase 4 (Multi-domain) | 91 | 100% | Fintech, e-commerce, IoT, healthcare, SaaS |
| Sam (Enterprise HIPAA) | 124 | 100% | HIPAA locks, PHI, encryption, RBAC |
| Auth & Crypto | 114 | 100% | API keys, RBAC, AES-256 encryption |
| John (Indie Dev Journey) | 86 | 100% | 8-session Bolt.new build with 5 locks |
| Diff-Native Review | 76 | 100% | Interface breaks, schema changes, API impact |
| Patch Gateway | 57 | 100% | ALLOW/WARN/BLOCK verdicts, blast radius |
| Compliance Export | 50 | 100% | SOC 2, HIPAA, CSV formats |
| Enforcement | 40 | 100% | Hard/advisory mode, overrides |
| Audit Chain | 35 | 100% | HMAC-SHA256 chain integrity |
| Code Graph | 33 | 100% | Import parsing, blast radius, lock mapping |
| Spec Compiler | 24 | 100% | NL→constraints parsing, auto-apply |
| Typed Constraints | 13 | 100% | Numerical, range, state, temporal validation |
| Claude Regression | 9 | 100% | Vue detection, safe-intent, patch gateway |
| Question Framing | 9 | 100% | "What if we..." and "How hard would it be..." |
| REST API v2 | 9 | 100% | Typed constraint endpoints, SSE |
| PII/Export Detection | 8 | 100% | SSN, email export, data access violations |
| Total | 929 | 100% | 18 suites, 15+ domains |
External validation: Claude's independent 7-suite adversarial test battery — 100/100 (100%) on v5.2.6. Zero false positives. Zero missed violations. 15.7ms per check.
Tested across: fintech, e-commerce, IoT, healthcare, SaaS, gaming, biotech, aerospace, payments, payroll, robotics, autonomous systems, telecom, insurance, government. All 11 Indian payment gateways detected. Zero false positives on UI/cosmetic actions.
8 sessions building an ecommerce app. 5 locks (auth, Firebase, Supabase, shipping, Stripe). Every direct violation caught. Every euphemistic attack caught ("clean up auth", "modernize database", "streamline serverless"). Zero false positives on safe actions (product page, cart, dark mode). 86/86 tests passed.
10 sessions with 8 HIPAA locks. Every violation caught — expose PHI, remove encryption, disable audit, downgrade MFA, bypass FHIR. Euphemistic HIPAA attacks caught ("simplify data flow", "modernize auth"). Full auth + RBAC + encryption + compliance export workflow verified. 124/124 tests passed.
| Tier | Price | What you get |
|---|---|---|
| Free | $0 | 10 locks, conflict detection, MCP, CLI |
| Pro | $19/mo | Unlimited locks, HMAC audit, compliance exports |
| Enterprise | $99/mo | + RBAC, encryption, SSO, policy-as-code |
Issues and PRs welcome on GitHub.
SpecLock is created and maintained by Sandeep Roy.
Sandeep Roy is the sole developer of SpecLock — the AI Constraint Engine that enforces project rules across AI coding sessions. All 42 MCP tools, the semantic conflict detection engine, enterprise security features (SOC 2, HIPAA, RBAC, encryption), and the pre-publish test gate were designed and built by Sandeep Roy.
SpecLock v5.2.6 — Developed by Sandeep Roy — 929 tests, 100% pass rate, 42 MCP tools, AI Patch Firewall, Spec Compiler, Code Graph, Typed Constraints, Python SDK, ROS2, REST API v2. Because remembering isn't enough.
Install via CLI
npx mdskills install sgroy10/speclock→ skspeclocka1b2c3... (shown once, stored as SHA-256 hash) is a free, open-source AI agent skill. Your AI keeps breaking things you told it not to touch. SpecLock makes it stop. Website · npm · Smithery · GitHub Developed by Sandeep Roy · Free & Open Source (MIT License) 100/100 on Claude's independent test suite. 929 tests across 18 suites. 0 false positives. 15.7ms per check. Gemini Flash hybrid, Spec Compiler, Code Graph, Typed Constraints, Python SDK, ROS2 integration. That's it. One c
Install → skspeclocka1b2c3... (shown once, stored as SHA-256 hash) with a single command:
npx mdskills install sgroy10/speclockThis downloads the skill files into your project and your AI agent picks them up automatically.
→ skspeclocka1b2c3... (shown once, stored as SHA-256 hash) works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Gemini Cli, Amp, Roo Code, Goose. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.