
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@clawplays/ospec-cli
Advanced tools
Official OSpec CLI package for spec-driven development (SDD) and document-driven development in AI coding agent and CLI workflows.
The official OSpec CLI package is @clawplays/ospec-cli, and the official command is ospec. OSpec is a spec-driven, agentic workflow framework for AI coding agents — it brings spec-driven development (SDD) and Loop Engineering (a verifiable plan → act → verify goal loop) to Claude Code, Codex, Gemini, OpenCode, MCP-based agents, and plain CLI workflows.
Prompt Guide | Usage | Overview | Installation | External Plugins | Plugin Release | Issues
AI coding assistants are powerful, but requirements that live only in chat history are hard to inspect, review, and close out cleanly. OSpec adds a lightweight workflow layer so the repository can hold the change context before code is written and after the work ships.
ospec change — the everyday fast flow — one requirement becomes one active change on a short init -> change -> verify/finalize path, kept lightweight and easy to review.ospec goal — engineering-grade discipline — brainstorm and lock the design before any code, split the work into a task graph, dispatch parallel sub-agents, enforce TDD and code review by a separate reviewer, and require durable test/verification evidence before anything counts as done.ospec goal runs as a loop — it plans, acts, and verifies in rounds until tests prove the work, at a safety level you choose (--level L1|L2|L3: report-only → assisted → unattended); drive it with ospec loop … and surface findings to a triage inbox with ospec triage ….npm install -g @clawplays/ospec-cli
Official package: @clawplays/ospec-cli
Command: ospec
Verify install: ospec --help
OSpec only takes 3 steps:
Recommended prompt:
OSpec, initialize this project.
Claude / Codex skill mode:
/ospec initialize this project.
ospec init .
ospec init . --summary "Internal admin portal for operations"
ospec init . --summary "Internal admin portal for operations" --tech-stack node,react,postgres
ospec init . --architecture "Single web app with API and shared auth" --document-language en-US
CLI notes:
--summary: project overview text written into the generated docs--tech-stack: comma-separated stack list such as node,react,postgres--architecture: short architecture description--document-language: generated doc language, choose from en-US, zh-CN, ja-JP, or ar.skillrc--document-language -> persisted project language in .skillrc -> existing project docs / managed for-ai/* guidance / asset manifest -> fallback en-US.skillrc and reuses it for for-ai guidance, ospec new, and ospec updateospec init default to the nested layout: root .skillrc and README.md, with OSpec-managed files under .ospec/.ospec/knowledge/src/ or .ospec/knowledge/tests/; those appear only when a project already has legacy knowledge content to migrate or when future explicit knowledge-generation flows create themchanges/active/<change-name>, but the physical path in nested projects is .ospec/changes/active/<change-name>Use this for requirement delivery, documentation updates, refactors, and bug fixes.
Recommended prompt:
OSpec, create and advance a change for this requirement.
Claude / Codex skill mode:
/ospec-change create and advance a change for this requirement.
/ospec-goal create and advance a full goal for this requirement.
ospec new docs-homepage-refresh .
ospec new fix-login-timeout .
ospec new update-billing-copy .
The classic change flow above stays simple: proposal.md → tasks.md → implement → verification.md → review.md, with no controller layer. The agent controller layer — parallel worker dispatch, reviewer gates, and durable evidence — belongs to the full goal workflow. Use it with ospec goal, or on a single change only when you explicitly opt into agent/worker execution. OSpec keeps the controller state in repo artifacts, and the current AI harness starts native worker agents when available.
ospec session .
ospec execute bootstrap changes/active/<goal-name>
ospec execute workspace changes/active/<goal-name>
ospec execute status changes/active/<goal-name>
ospec execute dispatch changes/active/<goal-name> --limit 2
ospec execute launch changes/active/<goal-name> --task <task-id> --target codex
ospec execute complete <task-id> changes/active/<goal-name> --status DONE --summary "..."
ospec execute review changes/active/<goal-name> --task <task-id>
ospec execute verify changes/active/<goal-name> --command "npm test" --status PASSED --exit-code 0
launch writes artifacts/agents/launch-plan.md; it does not start workers by itself. Codex/GPT use spawn_agent / wait_agent / close_agent, Claude Code uses Task, Gemini uses @generalist, and OpenCode uses @mention. Use launch --run --command or orchestrate --command only when the current harness cannot start native subagents.
After the requirement has passed deployment, testing, QA, or other acceptance checks, archive the validated change.
Recommended prompt:
OSpec, archive this accepted change.
Claude / Codex skill mode:
/ospec archive this accepted change.
ospec verify changes/active/<change-name>
ospec finalize changes/active/<change-name>
Archive notes:
ospec verify to confirm the active change is readyospec finalize to rebuild indexes and archive the accepted change.ospec/changes/archived/YYYY-MM/YYYY-MM-DD/<change-name>; CLI shorthand under changes/archived/... still worksospec updateUse ospec goal <goal-name> (or just say "OSpec, create and advance a full goal for this requirement") for complex, cross-cutting, or high-risk work that needs the full OSpec workflow: design doc, implementation plan, task graph, parallel worker dispatch, document and code review, and durable TDD / debug / verification evidence.
You only start a goal and describe the requirement. The AI runs every ospec command itself; you just answer questions in chat (Zero-Setup).
A goal runs as a session-bound loop: it plans, acts, and verifies in rounds until the work is done and proven by tests. You choose a safety level when you start it (--level L1|L2|L3, default L1):
Drive and watch it with ospec loop run/watch/status/pause/resume/level, review findings with ospec triage list/claim/promote, and stop it by pausing, dropping a STOP file, or closing your session. When the harness has a native /goal (Claude, Codex) the loop uses it; otherwise it falls back automatically. ospec change stays the classic fast flow. See docs/loop-engineering.md.
Experience contracts the AI follows on every goal:
ospec execute … command it is about to run and the artifact it writes, and how many subagents it dispatches — so you always see what is happening.ospec execute decision …; required decisions block worker dispatch until you answer.Claude Code hard enforcement (one-time; the AI runs this for you automatically in a Claude Code harness):
ospec session hook --target claude --apply
This writes a hook bundle under .ospec/hooks/claude/ and merges it into .claude/settings.json (idempotent and reversible). The hooks:
ospec command at the tool level,Hooks load at session start, so they take effect from the next Claude Code session.
For an existing OSpec project, after upgrading the CLI with npm, run this in the project directory to refresh the project's OSpec files:
ospec update
ospec update also migrates legacy root-level build-index-auto.cjs / build-index-auto.js tooling into .ospec/tools/build-index-auto.cjs and refreshes OSpec-managed hook entrypoints to use the new location.
It also repairs older OSpec projects that still have an OSpec footprint but are missing newer core runtime directories, refreshes managed skills and archive layout metadata, and syncs project assets for already-enabled plugins.
For nested projects that still carry legacy knowledge under .ospec/src/ or .ospec/tests/, ospec update migrates those paths into .ospec/knowledge/src/ and .ospec/knowledge/tests/.
When an already-enabled plugin has a newer compatible npm package version available, ospec update upgrades that global plugin package automatically and prints the version transition.
It does not upgrade the CLI itself, and it does not enable plugins or migrate active / queued changes automatically.
It also does not switch a classic project layout to nested automatically.
If you want to convert an older classic project to the new layout, run ospec layout migrate --to nested explicitly.
┌─────────────────────────────────────────────────────────────────┐
│ 1. USER REQUEST │
│ "OSpec, create and advance a change for this task." │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ 2. INIT TO CHANGE-READY │
│ ospec init │
│ - .skillrc │
│ - README.md │
│ - .ospec/ │
│ - .ospec/changes/active + .ospec/changes/archived │
│ - .ospec/SKILL.md + .ospec/SKILL.index.json + .ospec/for-ai│
│ - .ospec/docs/project/* baseline knowledge docs │
│ - reuse docs or fall back to placeholders │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ 3. EXECUTION │
│ ospec new <change-name> # classic fast change │
│ ospec goal <goal-name> # full goal workflow │
│ ospec brainstorm / plan (optional pre-change aids) │
│ ospec session │
│ ospec session hook │
│ ospec progress │
│ ospec execute bootstrap / handoff / doc-review / status │
│ ospec execute next │
│ ospec execute workspace / worktree / worktree --create │
│ ospec execute worktree --cleanup / finish │
│ ospec execute dispatch / launch / collect / retry / review │
│ ospec execute debug │
│ ospec execute tdd │
│ ospec execute verify │
│ ospec execute sync │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ 4. DEPLOY + VALIDATE │
│ project deploy / test / QA │
│ ospec verify │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ 5. ARCHIVE │
│ ospec finalize │
│ rebuild index + archive │
└─────────────────────────────────────────────────────────────────┘
| Concept | What It Means |
|---|---|
| Protocol Shell | The minimum collaboration skeleton: root .skillrc and README.md, plus managed OSpec files under .ospec/ for change state, SKILL docs, index state, for-ai/ guidance, and project docs. |
| Project Knowledge Layer | Explicit project context such as docs/project/*, layered skill files, and index state that AI can read consistently. |
| Active Change | A dedicated execution container for one small or routine requirement, using the classic fast files: proposal.md, tasks.md, state.json, verification.md, and review.md, plus plugin artifacts when activated. |
| Active Goal | A full-workflow execution container created with ospec goal, adding design.md, implementation-plan.md, artifacts/agents/task-graph.json, handoff artifacts, document-review artifacts, launch-plan artifacts, worker-run artifacts, reviewer-run artifacts, retry artifacts, review artifacts, artifacts/agents/worker-status.md, and evidence artifacts. |
ospec init creates the protocol shell and baseline project knowledge docs in one pass..skillrc so later guidance and generated change docs stay consistent unless you explicitly change it.ospec docs generate refreshes or repairs project knowledge docs when you need it later.Announce-Before-Act (the AI announces its skill and stage, the ospec execute … command and the artifact it writes, and each subagent dispatch), Brainstorm-First (open direction, architecture, API, UI, risk, and scope decisions are asked one at a time through the native question UI before design is locked), and Zero-Setup (you only start a goal and describe the requirement — the AI runs every ospec command itself). In Claude Code, ospec session hook --target claude --apply adds hooks that announce every dispatch and hard-block subagent dispatch while a required decision is still pending.ospec brainstorm writes durable exploration artifacts under .ospec/brainstorms/, with an optional static visual companion; ospec plan writes plan drafts under .ospec/plans/ and only updates implementation-plan.md when --apply is passed. The default small-change flow starts with ospec new; the full workflow starts with ospec goal.ospec session writes .ospec/session-brief.json and .ospec/session-brief.md so agents or humans entering an existing project can see active changes, queued changes, queue-run state, a cache fingerprint, and the next safe command before touching a change; ospec session hook --target claude writes opt-in harness startup artifacts plus a Claude Code hook bundle under .ospec/hooks/, and --apply idempotently merges it into .claude/settings.json.ospec execute bootstrap writes a one-change startup/resume snapshot with the project session brief snapshot and next safe action; handoff writes a cross-tool worker handoff guide with the project session brief snapshot; doc-review creates design and implementation-plan reviewer packets before task execution; status and next report controller state and safe next task candidates; workspace records git workspace safety before worker handoff; worktree records an isolated-worktree preparation plan by default, while explicit --create or --cleanup runs the matching git worktree command and captures artifacts/agents/worktree-runs/; finish records closeout readiness before finalize, archive, push, merge, or worktree cleanup; dispatch and complete create parallel-safe worker packets with worker profiles and target tool mapping, then record task results as OSpec artifacts; review --task creates one combined per-task code review packet (spec compliance + code quality in a single pass) that blocks dependent tasks until approved, while final review creates one combined whole-change code review packet; launch writes the native agent launch plan for the current AI harness, including Codex/GPT spawn_agent, Claude Code Task, Gemini @generalist, and OpenCode @mention guidance; orchestrate is the final CLI fallback for harnesses without native subagents and runs explicit command templates only; launch --run --command is the single-worker CLI fallback; collect turns a fallback worker run into task completion state; retry reopens blocked, needs-context, or failed task work; explicit review --run --command captures artifacts/agents/review-runs/; debug, tdd, and verify record durable evidence; sync rebuilds worker-status.md from execution and review artifacts.queue and run support explicit multi-change execution when one active change is not enough.finalize verifies, rebuilds indexes, and archives the change before manual Git commit.OSpec supports plugins for UI review and runtime validation. Keep the public flow simple:
/ospec open Stitch for this project.
/ospec open Checkpoint for this project.
In AI / /ospec flows, requests like "open Stitch" or "open Checkpoint" should be handled as: check whether the plugin is already installed globally, install only when missing, then enable it in the current project.
Command line fallback:
ospec plugins list
ospec plugins install stitch
ospec plugins enable stitch .
ospec plugins install checkpoint
ospec plugins enable checkpoint . --base-url http://127.0.0.1:3000
Official npm plugin packages:
@clawplays/ospec-plugin-stitch@clawplays/ospec-plugin-checkpointAfter a plugin is enabled, its detailed setup docs are synced into .ospec/plugins/<plugin>/docs/.
Maintainers can find plugin publishing and automation details in docs/plugin-release.md.
dist/ Compiled CLI runtime
assets/ Managed protocol assets, hooks, and skill payloads
docs/ Public documentation
scripts/ Release and installation helpers
.ospec/templates/hooks/ Hook templates shipped with the package
This project is licensed under the MIT License.
FAQs
Official OSpec CLI package for spec-driven development (SDD) and document-driven development in AI coding agent and CLI workflows.
The npm package @clawplays/ospec-cli receives a total of 69 weekly downloads. As such, @clawplays/ospec-cli popularity was classified as not popular.
We found that @clawplays/ospec-cli demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.