
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@clawplays/ospec-cli
Advanced tools
Official OSpec CLI package for spec-driven development (SDD) and document-driven development in AI coding agent and CLI workflows.
The official OSpec CLI package is @clawplays/ospec-cli, and the official command is ospec. OSpec is a spec-driven, agentic workflow framework for AI coding agents — it brings spec-driven development (SDD) and Loop Engineering (a verifiable plan → act → verify goal loop) to Claude Code, Codex, Gemini, OpenCode, MCP-based agents, and plain CLI workflows.
Prompt Guide | Usage | Overview | Installation | External Plugins | Plugin Release | Issues
AI coding assistants are powerful, but requirements that live only in chat history are hard to inspect, review, and close out cleanly. OSpec adds a lightweight workflow layer so the repository can hold the change context before code is written and after the work ships.
ospec change — the everyday fast flow — one requirement becomes one active change on a short init -> change -> verify/finalize path, kept lightweight and easy to review.ospec goal for larger or riskier work — describe the result you need; the AI asks important questions, writes an inspectable plan, implements the work, runs tests, requests an independent review, updates project docs, and continues until the result is proven.L1 only checks, L2 may edit but pauses for important choices, and L3 may continue within limits you set. Progress is saved in the repository, so a later session can resume it.npm install -g @clawplays/ospec-cli
Official package: @clawplays/ospec-cli
Command: ospec
Verify install: ospec --help
OSpec only takes 3 steps:
Recommended prompt:
OSpec, initialize this project.
Claude / Codex skill mode:
/ospec initialize this project.
ospec init .
ospec init . --summary "Internal admin portal for operations"
ospec init . --summary "Internal admin portal for operations" --tech-stack node,react,postgres
ospec init . --architecture "Single web app with API and shared auth" --document-language en-US
CLI notes:
--summary: project overview text written into the generated docs--tech-stack: comma-separated stack list such as node,react,postgres--architecture: short architecture description--document-language: generated doc language, choose from en-US, zh-CN, ja-JP, or ar.skillrc--document-language -> persisted project language in .skillrc -> existing project docs / managed for-ai/* guidance / asset manifest -> fallback en-US.skillrc and reuses it for for-ai guidance, ospec new, and ospec updateospec init default to the nested layout: root .skillrc and README.md, with OSpec-managed files under .ospec/.ospec/knowledge/src/ or .ospec/knowledge/tests/; those appear only when a project already has legacy knowledge content to migrate or when future explicit knowledge-generation flows create themchanges/active/<change-name>, but the physical path in nested projects is .ospec/changes/active/<change-name>Use this for requirement delivery, documentation updates, refactors, and bug fixes.
Recommended prompt:
OSpec, create and advance a change for this requirement.
Claude / Codex skill mode:
/ospec-change create and advance a change for this requirement.
/ospec-goal create and advance a full goal for this requirement.
ospec new docs-homepage-refresh .
ospec new fix-login-timeout .
ospec new update-billing-copy .
The classic change flow above stays simple: proposal.md → tasks.md → implement → verification.md → review.md, with no controller layer. The agent controller layer — parallel worker dispatch, reviewer gates, and durable evidence — belongs to the full goal workflow. Use it with ospec goal, or on a single change only when you explicitly opt into agent/worker execution. OSpec keeps the controller state in repo artifacts, and the current AI harness starts native worker agents when available.
ospec session .
ospec execute bootstrap changes/active/<goal-name>
ospec execute workspace changes/active/<goal-name>
ospec execute status changes/active/<goal-name>
ospec execute dispatch changes/active/<goal-name> --limit 2
ospec execute launch changes/active/<goal-name> --task <task-id> --target codex
ospec execute complete <task-id> changes/active/<goal-name> --status DONE --summary "..."
ospec execute review changes/active/<goal-name> --task <task-id>
ospec execute verify changes/active/<goal-name> --command "npm test" --status PASSED --exit-code 0
launch writes artifacts/agents/launch-plan.md; it does not start workers by itself. Codex/GPT use spawn_agent plus the harness wait lifecycle (and close only when exposed), Claude Code uses Task, Gemini uses @generalist, and OpenCode uses @mention. Use launch --run --command or orchestrate --command only when the current harness cannot start native subagents and the user explicitly accepts CLI fallback.
After the requirement has passed deployment, testing, QA, or other acceptance checks, archive the validated change.
Recommended prompt:
OSpec, archive this accepted change.
Claude / Codex skill mode:
/ospec archive this accepted change.
ospec verify changes/active/<change-name>
ospec finalize changes/active/<change-name>
Archive notes:
ospec verify to confirm the active change is readyospec finalize to rebuild indexes and archive the accepted change.ospec/changes/archived/YYYY-MM/YYYY-MM-DD/<change-name>; CLI shorthand under changes/archived/... still worksospec updateUse a goal when the work touches several parts of the project, has important design choices, changes an API or data, carries security or migration risk, or will take several rounds to finish. For a small, well-defined edit, use ospec new instead.
Start from a terminal:
ospec goal improve-checkout --level L2 --target codex --execution-model controller --harness-interactive true --native-subagents supported
Then tell the AI what outcome you need in ordinary language. You can also skip the terminal command and say: "Use OSpec goal for this requirement and carry it through to completion."
That is all a normal user needs to operate. The AI will:
You remain in control. The AI explains what it is about to do, pauses when it needs a decision, and records task, review, repair, verification, and loop progress in the repository so a fresh worker or later session can continue without replaying the conversation. You do not need to run the internal ospec execute commands yourself.
Choose how much the goal may do on its own with --level L1|L2|L3 (default L1):
Required user decisions block every level. The integrated goal loop reads task-graph.json, emits a bounded parallel batch, and observes durable completion or review evidence before advancing. When the ospec-goal skill is active and the IDE exposes a native subagent API, controller mode requires the current IDE AI to launch one fresh native subagent per referenced packet, wait for the batch, record evidence, and continue ticking without another user prompt; it does not stop at Loop initialization or require loop watch. L1 remains report-only, so executable work requires the user to select L2 or L3. If the IDE lacks native subagents, controller auto-dispatch fails clearly instead of silently pretending the CLI started an IDE agent.
To see progress, child executor ids, heartbeats, leases, token sources, and active guards, run ospec loop status. Use ospec loop configure for concurrency, allowlists, test commands, deadlines, token/time/iteration budgets, no-progress limits, comprehension checkpoints, and prompt bounds. IDE controllers persist child ownership with ospec loop heartbeat and each result with ospec loop result; after a confirmed session/child loss, ospec loop recover --force expires only unfinished items so they can be requeued without duplicating completed siblings. Advanced loop and triage commands are documented in docs/loop-engineering.md.
Internally, OSpec keeps implementation and independent review separate, feeds blocked work and review findings into retry or grouped repair, and requires current test evidence before the goal is considered complete.
Claude Code hard enforcement (one-time; the AI runs this for you automatically in a Claude Code harness):
ospec session hook --target claude --apply
This writes a hook bundle under .ospec/hooks/claude/ and merges it into .claude/settings.json (idempotent and reversible). The hooks:
ospec command at the tool level,Hooks load at session start, so they take effect from the next Claude Code session.
For an existing OSpec project, after upgrading the CLI with npm, run this in the project directory to refresh the project's OSpec files:
ospec update
ospec update also migrates legacy root-level build-index-auto.cjs / build-index-auto.js tooling into .ospec/tools/build-index-auto.cjs and refreshes OSpec-managed hook entrypoints to use the new location.
It also repairs older OSpec projects that still have an OSpec footprint but are missing newer core runtime directories, refreshes managed skills and archive layout metadata, and syncs project assets for already-enabled plugins.
For nested projects that still carry legacy knowledge under .ospec/src/ or .ospec/tests/, ospec update migrates those paths into .ospec/knowledge/src/ and .ospec/knowledge/tests/.
When an already-enabled plugin has a newer compatible npm package version available, ospec update upgrades that global plugin package automatically and prints the version transition.
It does not upgrade the CLI itself, and it does not enable plugins or migrate active / queued changes automatically.
It also does not switch a classic project layout to nested automatically.
If you want to convert an older classic project to the new layout, run ospec layout migrate --to nested explicitly.
┌─────────────────────────────────────────────────────────────────┐
│ 1. USER REQUEST │
│ "OSpec, create and advance a change for this task." │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ 2. INIT TO CHANGE-READY │
│ ospec init │
│ - .skillrc │
│ - README.md │
│ - .ospec/ │
│ - .ospec/changes/active + .ospec/changes/archived │
│ - .ospec/SKILL.md + .ospec/SKILL.index.json + .ospec/for-ai│
│ - .ospec/docs/project/* baseline knowledge docs │
│ - reuse docs or fall back to placeholders │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ 3. EXECUTION │
│ ospec new <change-name> # classic fast change │
│ ospec goal <goal-name> # full goal workflow │
│ ospec brainstorm / plan (optional pre-change aids) │
│ ospec session │
│ ospec session hook │
│ ospec progress │
│ ospec execute bootstrap / handoff / doc-review / status │
│ ospec execute next │
│ ospec execute workspace / worktree / worktree --create │
│ ospec execute worktree --cleanup / finish │
│ ospec execute dispatch / launch / collect / retry / review │
│ ospec execute debug │
│ ospec execute tdd │
│ ospec execute verify │
│ ospec execute sync │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ 4. DEPLOY + VALIDATE │
│ project deploy / test / QA │
│ ospec verify │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ 5. ARCHIVE │
│ ospec finalize │
│ rebuild index + archive │
└─────────────────────────────────────────────────────────────────┘
| Concept | What It Means |
|---|---|
| Protocol Shell | The minimum collaboration skeleton: root .skillrc and README.md, plus managed OSpec files under .ospec/ for change state, SKILL docs, index state, for-ai/ guidance, and project docs. |
| Project Knowledge Layer | Explicit project context such as docs/project/*, layered skill files, and index state that AI can read consistently. |
| Active Change | A dedicated execution container for one small or routine requirement, using the classic fast files: proposal.md, tasks.md, state.json, verification.md, and review.md, plus plugin artifacts when activated. |
| Active Goal | A full-workflow execution container created with ospec goal, adding design.md, implementation-plan.md, artifacts/agents/task-graph.json, handoff artifacts, document-review artifacts, launch-plan artifacts, worker-run artifacts, reviewer-run artifacts, retry artifacts, review artifacts, artifacts/agents/worker-status.md, and evidence artifacts. |
ospec init creates the protocol shell and baseline project knowledge docs in one pass..skillrc so later guidance and generated change docs stay consistent unless you explicitly change it.finalize or archive writes docs/project/changes/<archive-path>.md, then links it from docs/project/feature-index.md, SKILL.index.json.documents, and SKILL.index.json.archived_changes. Before moving the active change, archive preflight refuses to overwrite a human-owned file at that path and verifies the managed output directories are writable. Goals still update the relevant human-maintained architecture, API, module, or operational docs; the generated change summary does not replace them.artifacts/agents/review-packages/*.diff with scoped Git evidence, while artifacts/agents/execution-metrics.json records packet/report/package bytes and task duration. Goal task graphs can enable documentation_updates so missing or undeclared project docs block archive.Announce-Before-Act (the AI announces its skill and stage, the ospec execute … command and the artifact it writes, and each subagent dispatch), Brainstorm-First (open direction, architecture, API, UI, risk, and scope decisions are asked one at a time through the native question UI before design is locked), and Zero-Setup (you only start a goal and describe the requirement — the AI runs every ospec command itself). In Claude Code, ospec session hook --target claude --apply adds hooks that announce every dispatch and hard-block subagent dispatch while a required decision is still pending.ospec brainstorm writes durable exploration artifacts under .ospec/brainstorms/, with an optional static visual companion; ospec plan writes plan drafts under .ospec/plans/ and only updates implementation-plan.md when --apply is passed. The default small-change flow starts with ospec new; the full workflow starts with ospec goal.ospec session writes .ospec/session-brief.json and .ospec/session-brief.md so agents or humans entering an existing project can see active changes, queued changes, queue-run state, indexed document and archived-feature counts, a cache fingerprint, and the next safe command before touching a change; ospec session hook --target claude writes opt-in harness startup artifacts plus a Claude Code hook bundle under .ospec/hooks/, and --apply idempotently merges it into .claude/settings.json.ospec loop run --once emits token-bounded task/review/verification action batches for fresh native subagents, while CLI-driven ospec loop watch executes supported external agents in fresh processes. Both use packet paths instead of duplicating the whole goal, persist pending actions and feedback, route review failures through retry or one grouped repair wave, and enforce required decisions, L3 allowlists, budgets, no-progress stops, and comprehension-review pauses.ospec execute bootstrap writes a one-change startup/resume snapshot with the project session brief snapshot and next safe action; handoff writes a cross-tool worker handoff guide with the project session brief snapshot; doc-review creates design and implementation-plan reviewer packets before task execution; status and next report controller state and safe next task candidates; workspace records git workspace safety before worker handoff; worktree records an isolated-worktree preparation plan by default, while explicit --create or --cleanup runs the matching git worktree command and captures artifacts/agents/worktree-runs/; finish records closeout readiness before finalize, archive, push, merge, or worktree cleanup; dispatch and complete create parallel-safe worker packets with worker profiles and target tool mapping, then record task results as OSpec artifacts; review --task creates one combined per-task code review packet (spec compliance + code quality in a single pass) that blocks dependent tasks until approved, while final review creates one combined whole-change code review packet; launch writes the native agent launch plan for the current AI harness, including Codex/GPT spawn_agent, Claude Code Task, Gemini @generalist, and OpenCode @mention guidance; orchestrate is the final CLI fallback for harnesses without native subagents and runs explicit command templates only; launch --run --command is the single-worker CLI fallback; collect turns a fallback worker run into task completion state; retry reopens blocked, needs-context, or failed task work; explicit review --run --command captures artifacts/agents/review-runs/; debug, tdd, and verify record durable evidence; sync rebuilds worker-status.md from execution and review artifacts..skillrc.workflow.document_review_policy keeps independent document review by default. With adaptive, inline preflight still requires an explicit risk_level: low (or none) declaration and no detected risk signal; .skillrc.workflow.model_profiles maps logical roles without provider model names in OSpec defaults.OSPEC_USAGE_FILE for automatic ingestion, while --usage-file remains a manual input. Metrics distinguish complete, partial, and missing coverage. ospec execute repair turns all structured NEEDS_CHANGES findings into one repair task.queue and run support explicit multi-change execution when one active change is not enough.finalize verifies and archives the change, then refreshes the generated feature locator and knowledge index before manual Git commit. It never overwrites human-maintained architecture, module, or API prose.OSpec supports plugins for UI review and runtime validation. Keep the public flow simple:
/ospec open Stitch for this project.
/ospec open Checkpoint for this project.
In AI / /ospec flows, requests like "open Stitch" or "open Checkpoint" should be handled as: check whether the plugin is already installed globally, install only when missing, then enable it in the current project.
Command line fallback:
ospec plugins list
ospec plugins install stitch
ospec plugins enable stitch .
ospec plugins install checkpoint
ospec plugins enable checkpoint . --base-url http://127.0.0.1:3000
Official npm plugin packages:
@clawplays/ospec-plugin-stitch@clawplays/ospec-plugin-checkpointAfter a plugin is enabled, its detailed setup docs are synced into .ospec/plugins/<plugin>/docs/.
Maintainers can find plugin publishing and automation details in docs/plugin-release.md.
dist/ Compiled CLI runtime
assets/ Managed protocol assets, hooks, and skill payloads
docs/ Public documentation
scripts/ Release and installation helpers
.ospec/templates/hooks/ Hook templates shipped with the package
This project is licensed under the MIT License.
FAQs
Official OSpec CLI package for spec-driven development (SDD) and document-driven development in AI coding agent and CLI workflows.
The npm package @clawplays/ospec-cli receives a total of 69 weekly downloads. As such, @clawplays/ospec-cli popularity was classified as not popular.
We found that @clawplays/ospec-cli demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.