specwright
Verified Safeby acartag7
Overview
Spec-driven AI software development platform that turns vague feature requests into executable plans, leveraging AI for planning, chunking, execution, and review with transparent oversight.
Installation
pnpm --filter @specwright/mcp devEnvironment Variables
- ANTHROPIC_API_KEY
- CLAUDE_CODE_OAUTH_TOKEN
- OPENCODE_URL
- DB_PATH
- CLAUDE_PATH
- MAX_WORKERS
- CHUNK_TIMEOUT_MS
- SPECWRIGHT_EXECUTOR_TYPE
- SPECWRIGHT_EXECUTOR_ENDPOINT
- SPECWRIGHT_EXECUTOR_MODEL
- SPECWRIGHT_EXECUTOR_TIMEOUT
- SPECWRIGHT_EXECUTOR_MAX_TOKENS
- SPECWRIGHT_PLANNER_TYPE
- SPECWRIGHT_PLANNER_CLI_PATH
- SPECWRIGHT_REVIEWER_TYPE
- SPECWRIGHT_REVIEWER_CLI_PATH
- SPECWRIGHT_REVIEWER_AUTO_APPROVE
- SPECWRIGHT_MAX_ITERATIONS
- SPECWRIGHT_USE_HTTP_API
Security Notes
The codebase demonstrates strong security practices, particularly in handling external command execution. It extensively uses `child_process.spawnSync` and `child_process.spawn` for interacting with `git`, `gh` (GitHub CLI), `opencode`, and `claude` CLIs. Arguments are consistently passed as arrays with `shell: false`, effectively mitigating shell command injection risks. A dedicated `path-validation.ts` module ensures project paths are normalized, within the user's home directory, and do not access sensitive system locations, preventing path traversal attacks. These deliberate security patterns are even highlighted in internal documentation. No `eval` or code obfuscation is present. The primary security considerations stem from the inherent trust placed in external CLI tools (`opencode`, `claude`) and the network interactions with AI APIs, though these are handled with best practices for credentials (environment variables).
Similar Servers
github-mcp-server
The GitHub MCP Server enables AI agents, assistants, and chatbots to interact with GitHub's platform for repository management, issue/PR automation, CI/CD intelligence, code analysis, and team collaboration through natural language.
spec-workflow-mcp
Facilitates structured, specification-driven software development by providing a workflow engine, real-time dashboards, and tools for task management, approvals, and detailed implementation logging, integrated with AI agents and VSCode.
claude-prompts
This server provides a hot-reloadable prompt engine with chains, quality gates, and structured reasoning for AI assistants, enhancing control over Claude's behavior in prompt workflows.
sudocode
Git-native spec and issue management for AI-assisted software development, enabling agents to track context, manage tasks, and collaborate through structured workflows and feedback loops within a version-controlled repository. It provides agent orchestration, context persistence, and real-time visualization for complex, long-horizon software development tasks.