speclock

SpecLock (speclock) enforces memory and behavioral constraints for AI tools during development workflows. It watches defined locks and prevents the AI from modifying restricted files or flows, applying semantic understanding rather than simple keyword checks. To run Speclock as an MCP server, start it via npx with the serve command so it exposes an API for other MCP-enabled tools to query or enforce constraints. Once running, you can integrate it into your MCP ecosystem (e.g., Claude Code, Cursor, Lovable) by pointing your .mcp.json or equivalent configuration to the speclock server, enabling hard or advisory enforcement depending on your needs. The tool supports creating, managing, and applying policy locks like “Never modify auth files”, “Database must stay PostgreSQL”, and more, with an audit trail and RBAC controls for team access.

Prerequisites:

• Node.js (recommended: LTS, e.g., 14.x or newer) and npm or corepack
• Basic familiarity with MCP configuration formats

Installation steps:

1. Ensure you have Node.js and npm installed
   • Verify: node -v and npm -v
2. Run Speclock via npm (no global install required) to install and start the server locally
   • npx speclock serve --project .
3. If you are integrating into an existing MCP setup, you can export the server config as part of your mcp.json (see example in the README for Claude Code integration)
4. Optional: lock configuration and environment per your deployment: set environment variables or authentication as needed per your security policies

Notes:

• You can customize the project path in --project to point to your repository root or a specific MCP-enabled project directory
• For production deployments, consider containerizing Speclock or using your existing MCP orchestration to manage the server lifecycle

Tips and common considerations:

• The Speclock server enforces semantic locks, so ensure your lock definitions are clear and up to date to avoid false positives.
• If you require stricter enforcement, you can enable hard mode to block violations entirely; combine with a proper audit trail for compliance.
• Use RBAC and API keys to restrict who can read or modify locks in multilingual and multi-repo environments.
• When integrating with other MCP servers, ensure the command and path formats match their expected mcp.json schema (e.g., Claude Code example uses npx with specific args).
• Regularly review and prune locks as your project evolves to prevent drift between policy and actual code behavior.