chore: configure spec-kit governance presets

Author: hindermath

.agents/skills/speckit-plan/SKILL.md

@@ -1,147 +1,91 @@
 ---
-name: "speckit-plan"
-description: "Execute the implementation planning workflow using the plan template to generate design artifacts."
-compatibility: "Requires spec-kit project structure with .specify/ directory"
+name: speckit-plan
+description: Generate technical implementation plans from feature specifications.
+compatibility: Requires spec-kit project structure with .specify/ directory
 metadata:
-  author: "github-spec-kit"
-  source: "templates/commands/plan.md"
+  author: github-spec-kit
+  source: preset:security-governance
 ---
 
+# Speckit Plan Skill
 
-## User Input
-
-```text
-$ARGUMENTS
-```
-
-You **MUST** consider the user input before proceeding (if not empty).
-
-## Pre-Execution Checks
-
-**Check for extension hooks (before planning)**:
-- Check if `.specify/extensions.yml` exists in the project root.
-- If it exists, read it and look for entries under the `hooks.before_plan` key
-- If the YAML cannot be parsed or is invalid, skip hook checking silently and continue normally
-- Filter out hooks where `enabled` is explicitly `false`. Treat hooks without an `enabled` field as enabled by default.
-- For each remaining hook, do **not** attempt to interpret or evaluate hook `condition` expressions:
-  - If the hook has no `condition` field, or it is null/empty, treat the hook as executable
-  - If the hook defines a non-empty `condition`, skip the hook and leave condition evaluation to the HookExecutor implementation
-- For each executable hook, output the following based on its `optional` flag:
-  - **Optional hook** (`optional: true`):
-    ```
-    ## Extension Hooks
-
-    **Optional Pre-Hook**: {extension}
-    Command: `/{command}`
-    Description: {description}
-
-    Prompt: {prompt}
-    To execute: `/{command}`
-    ```
-  - **Mandatory hook** (`optional: false`):
-    ```
-    ## Extension Hooks
-
-    **Automatic Pre-Hook**: {extension}
-    Executing: `/{command}`
-    EXECUTE_COMMAND: {command}
+Before continuing, apply the Security Governance preset:
 
-    Wait for the result of the hook command before proceeding to the Outline.
-    ```
-- If no hooks are registered or `.specify/extensions.yml` does not exist, skip silently
+- plan explicit MSL applicability or non-MSL justification work when relevant
+- plan explicit secure-development verification work
+- plan dependency and supply-chain evidence updates where relevant
+- surface security review checkpoints instead of leaving them implicit
 
-## Outline
+Before continuing, apply the Architecture Governance preset:
 
-1. **Setup**: Run `.specify/scripts/bash/setup-plan.sh --json` from repo root and parse JSON for FEATURE_SPEC, IMPL_PLAN, SPECS_DIR, BRANCH. For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+- plan explicit architecture evidence work
+- plan threat-model and ADR updates when boundaries, integrations, or flows
+  change
+- surface Zero Trust and SAMM work explicitly when relevant
 
-2. **Load context**: Read FEATURE_SPEC and `.specify/memory/constitution.md`. Load IMPL_PLAN template (already copied).
+Before continuing, apply the iSAQB Architecture Governance preset:
 
-3. **Execute plan workflow**: Follow the structure in IMPL_PLAN template to:
-   - Fill Technical Context (mark unknowns as "NEEDS CLARIFICATION")
-   - Fill Constitution Check section from constitution
-   - Evaluate gates (ERROR if violations unjustified)
-   - Phase 0: Generate research.md (resolve all NEEDS CLARIFICATION)
-   - Phase 1: Generate data-model.md, contracts/, quickstart.md
-   - Phase 1: Update agent context by running the agent script
-   - Re-evaluate Constitution Check post-design
+- plan explicit architecture work products where the feature changes
+  structure, interfaces, quality attributes, runtime behavior, or
+  deployment
+- plan updates to architecture views under `docs/architecture/`
+- plan ADRs for architecturally significant decisions
+- plan risk and technical-debt review for trade-offs or unresolved
+  constraints
+- if security-relevant architecture is affected, also plan the
+  secure-architecture evidence from `architecture-governance`
 
-4. **Stop and report**: Command ends after Phase 2 planning. Report branch, IMPL_PLAN path, and generated artifacts.
+Before continuing, apply the A11Y Governance preset:
 
-5. **Check for extension hooks**: After reporting, check if `.specify/extensions.yml` exists in the project root.
-   - If it exists, read it and look for entries under the `hooks.after_plan` key
-   - If the YAML cannot be parsed or is invalid, skip hook checking silently and continue normally
-   - Filter out hooks where `enabled` is explicitly `false`. Treat hooks without an `enabled` field as enabled by default.
-   - For each remaining hook, do **not** attempt to interpret or evaluate hook `condition` expressions:
-     - If the hook has no `condition` field, or it is null/empty, treat the hook as executable
-     - If the hook defines a non-empty `condition`, skip the hook and leave condition evaluation to the HookExecutor implementation
-   - For each executable hook, output the following based on its `optional` flag:
-     - **Optional hook** (`optional: true`):
-       ```
-       ## Extension Hooks
+- plan accessibility review work explicitly
+- plan bilingual content work explicitly
+- include CLI accessibility checks where user-facing terminal output is changed
 
-       **Optional Hook**: {extension}
-       Command: `/{command}`
-       Description: {description}
+Before continuing, apply the Cross-Platform Governance preset:
 
-       Prompt: {prompt}
-       To execute: `/{command}`
-       ```
-     - **Mandatory hook** (`optional: false`):
-       ```
-       ## Extension Hooks
+- plan paired Bash + PowerShell script work as a single unit
+- plan the man-page, the bilingual PowerShell help block, and the
+  `Verb-Noun` Cmdlet alongside the script
+- plan manual verification on at least one target OS per variant
+- plan implementation discipline checks (Bash quoting, `set -euo
+  pipefail`, `Set-StrictMode -Version Latest`, `-NoProfile`) and the
+  parity-checklist artefact
 
-       **Automatic Hook**: {extension}
-       Executing: `/{command}`
-       EXECUTE_COMMAND: {command}
-       ```
-   - If no hooks are registered or `.specify/extensions.yml` does not exist, skip silently
+Before continuing, apply the Agent Parity Governance preset:
 
-## Phases
+- plan an atomic update across all maintained agent surfaces
+- plan synchronised updates to project templates and the local
+  `.specify/memory/constitution.md`
+- plan a parity-verification artefact for the change
+
+# Command Template: `/speckit.plan`
+
+Use this command to produce an implementation plan from an approved specification.
+
+## Required Actions
+
+1. Populate technical context with real stack details.
+2. Execute the Constitution Check gates explicitly:
+   - branching and PR flow
+   - .NET 10 + C# 14.0 toolchain alignment
+   - architecture/layer boundaries
+   - bilingual CEFR B2 documentation scope
+   - XML documentation + DocFX regeneration scope
+   - Red-Green-Refactor testing scope
+   - coverage gate (`>=70%` minimum, `>=80%` target)
+   - NuGet dependency currency and pinning exceptions
+   - serialization/data conventions
+3. Document concrete project structure for this feature.
+4. Record justified exceptions in Complexity Tracking.
+
+## Validation Checklist
+
+- No gate is left unresolved without rationale.
+- Test, coverage, dependency, and documentation impacts are planned before implementation.
 
-### Phase 0: Outline & Research
 
-1. **Extract unknowns from Technical Context** above:
-   - For each NEEDS CLARIFICATION → research task
-   - For each dependency → best practices task
-   - For each integration → patterns task
 
-2. **Generate and dispatch research agents**:
 
-   ```text
-   For each unknown in Technical Context:
-     Task: "Research {unknown} for {feature context}"
-   For each technology choice:
-     Task: "Find best practices for {tech} in {domain}"
-   ```
-
-3. **Consolidate findings** in `research.md` using format:
-   - Decision: [what was chosen]
-   - Rationale: [why chosen]
-   - Alternatives considered: [what else evaluated]
-
-**Output**: research.md with all NEEDS CLARIFICATION resolved
-
-### Phase 1: Design & Contracts
-
-**Prerequisites:** `research.md` complete
-
-1. **Extract entities from feature spec** → `data-model.md`:
-   - Entity name, fields, relationships
-   - Validation rules from requirements
-   - State transitions if applicable
-
-2. **Define interface contracts** (if project has external interfaces) → `/contracts/`:
-   - Identify what interfaces the project exposes to users or other systems
-   - Document the contract format appropriate for the project type
-   - Examples: public APIs for libraries, command schemas for CLI tools, endpoints for web services, grammars for parsers, UI contracts for applications
-   - Skip if project is purely internal (build scripts, one-off tools, etc.)
-
-3. **Agent context update**:
-   - Update the plan reference between the `<!-- SPECKIT START -->` and `<!-- SPECKIT END -->` markers in `AGENTS.md` to point to the plan file created in step 1 (the IMPL_PLAN path)
 
-**Output**: data-model.md, /contracts/*, quickstart.md, updated agent context file
 
-## Key rules
 
-- Use absolute paths for filesystem operations; use project-relative paths for references in documentation and agent context files
-- ERROR on gate failures or unresolved clarifications

.agents/skills/speckit-specify/SKILL.md

@@ -1,12 +1,66 @@
 ---
-name: "speckit-specify"
-description: "Create or update the feature specification from a natural language feature description."
-compatibility: "Requires spec-kit project structure with .specify/ directory"
+name: speckit-specify
+description: Create or update feature specifications from natural language descriptions.
+compatibility: Requires spec-kit project structure with .specify/ directory
 metadata:
-  author: "github-spec-kit"
-  source: "templates/commands/specify.md"
+  author: github-spec-kit
+  source: preset:security-governance
 ---
 
+# Speckit Specify Skill
+
+Before continuing, apply the Security Governance preset:
+
+- determine whether the primary implementation language is memory-safe
+- document a short justification if the language is not memory-safe
+- determine whether `NIST SSDF`, `CWE Top 25`, `OWASP ASVS`, `SBOM`, `VEX`,
+  and `SLSA` are relevant
+- document `N/A` decisions with rationale
+- identify which security evidence artefacts should be created or updated under
+  `docs/security/`
+
+Before continuing, apply the Architecture Governance preset:
+
+- identify whether runtime or hardware constraints affect memory-safe language
+  choice
+- identify trust boundaries affected by the requested work
+- determine whether threat modeling, ADR updates, or Zero Trust review apply
+- document `N/A` decisions with rationale
+
+Before continuing, apply the iSAQB Architecture Governance preset:
+
+- identify whether the feature affects architecture goals, context,
+  quality attributes, interfaces, runtime behavior, deployment, or
+  technical debt
+- record the architecture evidence expected under `docs/architecture/`
+- identify whether general ADRs or architecture-risk records are needed
+- if security-relevant architecture is affected, also apply the
+  `architecture-governance` secure-architecture preset
+
+Before continuing, apply the A11Y Governance preset:
+
+- determine which user-facing artefacts are affected
+- apply `WCAG 2.2 AA` where relevant
+- determine whether bilingual delivery is required
+- determine whether `docs/accessibility/` evidence should be updated
+- document `N/A` decisions with rationale
+
+Before continuing, apply the Cross-Platform Governance preset:
+
+- identify whether this feature adds, changes, or removes a
+  script-shaped tool
+- record that both Bash (`*.sh`) and PowerShell (`*.ps1`) variants are
+  in scope, plus a Unix man-page and a bilingual PowerShell help block
+- record the planned `Verb-Noun` Cmdlet name (approved verbs only)
+- record dry-run / `-WhatIf` parity expectations
+
+Before continuing, apply the Agent Parity Governance preset:
+
+- identify whether shared agent guidance, project templates, or
+  `.specify/memory/constitution.md` is affected
+- list every maintained agent surface that must be updated together
+- record any intentional deviation explicitly
+
 
 ## User Input
 
@@ -52,7 +106,7 @@ You **MUST** consider the user input before proceeding (if not empty).
 
 ## Outline
 
-The text the user typed after `/speckit-specify` in the triggering message **is** the feature description. Assume you always have it available in this conversation even if `$ARGUMENTS` appears literally below. Do not ask the user to repeat it unless they provided an empty command.
+The text the user typed after `__SPECKIT_COMMAND_SPECIFY__` in the triggering message **is** the feature description. Assume you always have it available in this conversation even if `$ARGUMENTS` appears literally below. Do not ask the user to repeat it unless they provided an empty command.
 
 Given that feature description, do this:
 
@@ -98,10 +152,10 @@ Given that feature description, do this:
      }
      ```
      Write the actual resolved directory path value (for example, `specs/003-user-auth`), not the literal string `SPECIFY_FEATURE_DIRECTORY`.
-     This allows downstream commands (`/speckit-plan`, `/speckit-tasks`, etc.) to locate the feature directory without relying on git branch name conventions.
+     This allows downstream commands (`__SPECKIT_COMMAND_PLAN__`, `__SPECKIT_COMMAND_TASKS__`, etc.) to locate the feature directory without relying on git branch name conventions.
 
    **IMPORTANT**:
-   - You must only create one feature per `/speckit-specify` invocation
+   - You must only create one feature per `__SPECKIT_COMMAND_SPECIFY__` invocation
    - The spec directory name and the git branch name are independent — they may be the same but that is the user's choice
    - The spec directory and file are always created by this command, never by the hook
 
@@ -140,20 +194,20 @@ Given that feature description, do this:
 
       ```markdown
       # Specification Quality Checklist: [FEATURE NAME]
-
+      
       **Purpose**: Validate specification completeness and quality before proceeding to planning
       **Created**: [DATE]
       **Feature**: [Link to spec.md]
-
+      
       ## Content Quality
-
+      
       - [ ] No implementation details (languages, frameworks, APIs)
       - [ ] Focused on user value and business needs
       - [ ] Written for non-technical stakeholders
       - [ ] All mandatory sections completed
-
+      
       ## Requirement Completeness
-
+      
       - [ ] No [NEEDS CLARIFICATION] markers remain
       - [ ] Requirements are testable and unambiguous
       - [ ] Success criteria are measurable
@@ -162,17 +216,17 @@ Given that feature description, do this:
       - [ ] Edge cases are identified
       - [ ] Scope is clearly bounded
       - [ ] Dependencies and assumptions identified
-
+      
       ## Feature Readiness
-
+      
       - [ ] All functional requirements have clear acceptance criteria
       - [ ] User scenarios cover primary flows
       - [ ] Feature meets measurable outcomes defined in Success Criteria
       - [ ] No implementation details leak into specification
-
+      
       ## Notes
-
-      - Items marked incomplete require spec updates before `/speckit-clarify` or `/speckit-plan`
+      
+      - Items marked incomplete require spec updates before `__SPECKIT_COMMAND_CLARIFY__` or `__SPECKIT_COMMAND_PLAN__`
       ```
 
    b. **Run Validation Check**: Review the spec against each checklist item:
@@ -196,20 +250,20 @@ Given that feature description, do this:
 
            ```markdown
            ## Question [N]: [Topic]
-
+           
            **Context**: [Quote relevant spec section]
-
+           
            **What we need to know**: [Specific question from NEEDS CLARIFICATION marker]
-
+           
            **Suggested Answers**:
-
+           
            | Option | Answer | Implications |
            |--------|--------|--------------|
            | A      | [First suggested answer] | [What this means for the feature] |
            | B      | [Second suggested answer] | [What this means for the feature] |
            | C      | [Third suggested answer] | [What this means for the feature] |
            | Custom | Provide your own answer | [Explain how to provide custom input] |
-
+           
            **Your choice**: _[Wait for user response]_
            ```
 
@@ -230,7 +284,7 @@ Given that feature description, do this:
    - `SPECIFY_FEATURE_DIRECTORY` — the feature directory path
    - `SPEC_FILE` — the spec file path
    - Checklist results summary
-   - Readiness for the next phase (`/speckit-clarify` or `/speckit-plan`)
+   - Readiness for the next phase (`__SPECKIT_COMMAND_CLARIFY__` or `__SPECKIT_COMMAND_PLAN__`)
 
 9. **Check for extension hooks**: After reporting completion, check if `.specify/extensions.yml` exists in the project root.
    - If it exists, read it and look for entries under the `hooks.after_specify` key