Skip to main content

Appendix B: Recommended Tool Stack

This appendix provides a comprehensive reference for tools that support Spec-Driven Development. Each layer includes tools with descriptions, when to use them in SDD, and one-line getting started commands.

Layer Overview

LayerCategoryPrimary ToolsSDD Role
1Specification AuthoringMarkdown, Vale, NunjucksCreate and validate specs
2AI Coding AgentsCursor, Claude, Windsurf, OpenAI APIGenerate code from specs
3Agent ConfigurationSKILL.md, AGENTS.md, .cursor/rules, MCPGuide AI behavior
4Version ControlGit, GitHub, GitLabSpec-first workflows
5TestingVitest, Playwright, PytestValidate against specs
6Contract TestingPact, Specmatic, PrismAPI contract validation
7CI/CDGitHub Actions, GitLab CISpec validation pipelines
8ObservabilityOpenTelemetry, GrafanaSDD-specific instrumentation
9Security ScanningSnyk, Semgrep, TrivyAI-generated code review
10DocumentationDocusaurus, MkDocsPublish specifications

1. Specification Authoring

ToolWhat It DoesWhen to Use in SDDGetting Started
VS Code / CursorMarkdown editing with preview, extensionsPrimary editor for spec authoring; AI-assisted spec expansioncode specs/ or open in Cursor
TyporaWYSIWYG Markdown editorWhen non-technical stakeholders need to edit specsDownload from typora.io
ValeProse linter for style and consistencyEnforce spec writing standards; catch passive voice, jargonvale specs/
markdownlintMarkdown structure and syntax lintingEnsure valid Markdown; consistent formattingnpx markdownlint-cli specs/**/*.md
Nunjucks / HandlebarsTemplate engines for spec generationGenerate specs from templates with variablesnpm install nunjucks
MermaidDiagram-as-code (flowcharts, sequences)Embed architecture diagrams in specs````mermaid graph TD` in Markdown
StructurizrC4 model for architecture diagramsDocument system context in spec appendicesstructurizr export -workspace workspace.dsl

Spec Linter Configuration (Vale)

# .vale.ini
StylesPath = styles
MinAlertLevel = suggestion

[*.md]
BasedOnStyles = Google, write-good

SDD-specific: Use Vale to enforce "Given/When/Then" in acceptance criteria, flag [NEEDS CLARIFICATION] resolution, and check for vague terms ("appropriate," "properly").

2. AI Coding Agents

ToolWhat It DoesWhen to Use in SDDGetting Started
CursorVS Code fork with integrated AI; rules, skills, agentsPrimary SDD agent; spec-in-context, plan-driven taskscursor . (open project)
Claude Code (Anthropic)Standalone AI coding assistantWhen Cursor unavailable; spec-to-code generationclaude or API
Gemini CLI (Google)Command-line AI for code generationMulti-modal spec analysis; code generationgemini generate "implement spec"'
WindsurfAI-powered IDE (Codeium)Alternative to Cursor; spec-aware codingws . (open project)
GitHub CopilotInline code completion and chatLightweight AI assist; less spec-centricEnable in VS Code/Cursor
OpenAI API (Responses API)Programmatic agentic code generation with toolsCI/CD automation, spec-to-plan assistants, eval-driven pipelinesnpm install openai

AI Coding Agents Comparison

FeatureCursorClaude CodeWindsurfCopilot
Spec-in-context✅ Rules, skills✅ Manual paste✅ Rules⚠️ Limited
Plan-driven tasks✅ tasks.md⚠️ Manual✅ Tasks
SKILL.md support✅ Native⚠️ Custom
.cursor/rules
Multi-file editing⚠️ Chat only
Cost modelSubscriptionAPI/ProFreemiumSubscription
Best for SDDPrimarySpec-heavy batchesCursor alternativeLight assist

SDD recommendation: Use Cursor as primary agent for its rules, skills, and spec-driven workflow. Claude Code for batch spec processing. Windsurf if team prefers Codeium models.

API currency note (2026): Prefer modern APIs such as OpenAI Responses API and equivalent current endpoints from other providers. Avoid legacy completion-style examples tied to retired models.

3. Agent Configuration

Tool/StandardWhat It DoesWhen to Use in SDDGetting Started
SKILL.mdReusable skill definitions for AI agentsPackage domain knowledge, workflows, constraintsCreate skills/[skill-name]/SKILL.md
AGENTS.mdAgent role definitions and handoff protocolsDefine spec→plan→task agent flow; subagent orchestrationCreate AGENTS.md in project root
.cursor/rules/Cursor-specific rules (MDC format)Per-file, per-folder AI guidance; constitution enforcementCreate .cursor/rules/constitution.mdc
.cursorrulesLegacy single-file rulesSimple projects; single rule fileCreate .cursorrules in project root
RULE.mdFile-specific AI instructionsOverride behavior for spec files, plan filesCreate RULE.md in specs/
MCP (Model Context Protocol)Standardized tool/context integration for agentsConnect agents to repositories, docs, ticketing, and internal systemsConfigure MCP servers in your agent runtime
A2A (Agent2Agent)Protocol for interoperability between specialized agentsMulti-agent workflows: planner agent, implementer agent, reviewer agentUse an A2A-compatible gateway/runtime

Configuration Hierarchy

AGENTS.md          → Agent roles, handoffs
.cursor/rules/     → Globs: specs/**, src/**
  constitution.mdc → Load constitution for all spec work
  sdd-workflow.mdc → Spec→Plan→Task flow
.cursorrules       → Fallback global rules
specs/RULE.md      → Spec-specific: "Focus on WHAT not HOW"

SKILL.md Template Snippet

# Skill: [Name]
## When to Use
Use when [condition].
## Instructions
1. [Step]
2. [Step]
## Output
[Expected format]

SDD-specific: Create skills for /speckit.specify, /speckit.plan, /speckit.tasks to standardize AI behavior across the pipeline.

4. Version Control

ToolWhat It DoesWhen to Use in SDDGetting Started
GitDistributed version controlCore VCS for specs and codegit init
GitHubHosting, PRs, ActionsSpec-first PR workflow; branch per featuregh repo create
GitLabHosting, CI/CD, MRsAlternative to GitHub; built-in CIgitlab-create-project
Git LFSLarge file storageIf specs include diagrams, assetsgit lfs install

Git Workflow for Spec-Driven Development

PracticeCommand/PatternPurpose
Branch per featuregit checkout -b 004-real-time-chatIsolate spec + plan + code
Spec-first commitsCommit spec.md before plan.mdTraceability
Branch naming[number]-[kebab-case] e.g. 004-real-time-chatConsistent, sortable
PR templateInclude spec link, AC checklistEnforce spec→code linkage

Branch Naming Convention

[FEATURE_NUMBER]-[short-description]

Examples:
003-password-reset
004-real-time-chat
005-csv-export

PR Template (GitHub)

## Spec
- [ ] spec.md reviewed and approved
- [ ] plan.md aligns with spec
- [ ] All [NEEDS CLARIFICATION] resolved

## Implementation
- [ ] Phase gates passed
- [ ] Contract tests pass
- [ ] Integration tests pass

5. Testing

ToolWhat It DoesWhen to Use in SDDGetting Started
VitestFast unit/integration test runner (Vite)JS/TS: contract tests, integration testsnpm create vitest@latest
JestUnit/integration testingJS/TS: established projectsnpm install jest --save-dev
PlaywrightE2E browser testingValidate user journeys from specnpm init playwright@latest
CypressE2E testing with time-travelAlternative to Playwrightnpm install cypress --save-dev
PytestPython testing frameworkPython: integration, property-basedpip install pytest
CucumberBDD with GherkinAcceptance criteria as executable specsnpm install @cucumber/cucumber
fast-checkProperty-based testing (JS/TS)Edge cases, invariants from specnpm install fast-check
HypothesisProperty-based testing (Python)Python: property-basedpip install hypothesis

Test Tool Use Case Mapping

Use CaseToolSDD Mapping
Contract validationVitest + OpenAPIplan.md contracts
Integration (real DB)Vitest/Jest + Testcontainersplan.md phases
E2E user flowsPlaywrightspec.md user journeys
Acceptance criteriaCucumber (Gherkin)spec.md AC-*
Edge casesfast-check, Hypothesisspec.md edge cases
Performance NFRsk6, Artilleryspec.md NFR-*

One-Line Commands

# Vitest
npx vitest run

# Playwright
npx playwright test

# Pytest
pytest tests/ -v

# fast-check (in test file)
import * as fc from 'fast-check';

6. Contract Testing

ToolWhat It DoesWhen to Use in SDDGetting Started
PactConsumer-driven contract testingMicroservices; consumer defines contractnpm install @pact-foundation/pact
SpecmaticContract-first; OpenAPI as source of truthREST APIs; spec→contract→testnpx specmatic test
PrismOpenAPI mock server + validationMock API from contract; validate requestsnpx @stoplight/prism mock contract.yaml
DreddHTTP contract testing from OpenAPIValidate live API against OpenAPInpx dredd contract.yaml http://localhost:3000
OpenAPI ValidatorValidate requests/responsesCustom middleware; runtime validationnpm install openapi-validator-middleware

Contract Testing Comparison

ToolStyleBest ForSDD Fit
PactConsumer-drivenMicroservices, many consumersWhen consumers own contract
SpecmaticContract-firstREST, OpenAPI-centricStrong — spec→contract→code
PrismMock + validateDesign phase, frontend devMock before implementation
DreddProbe live APIValidate implementationPost-implementation validation

SDD Contract Workflow

  1. plan.md defines contracts/api.yaml (OpenAPI)
  2. Prism mocks API for frontend/parallel work
  3. Dredd or Specmatic validates implementation against contract
  4. Contract tests run in CI before merge
# Prism mock
npx @stoplight/prism mock specs/004-chat/contracts/api.yaml

# Dredd validate
npx dredd specs/004-chat/contracts/api.yaml http://localhost:3000

API Specification Updates (2026)

  • OpenAPI 3.2: recommended baseline for REST contracts.
  • Arazzo: document and execute multi-step API workflows.
  • Overlay: apply environment/team-specific patches to base API specs.
  • AsyncAPI 3.1: keep event-driven contracts aligned with the same spec-first discipline.

7. CI/CD

ToolWhat It DoesWhen to Use in SDDGetting Started
GitHub ActionsWorkflow automationSpec validation, contract tests, deployCreate .github/workflows/sdd.yml
GitLab CIPipeline automationAlternative to GitHub ActionsCreate .gitlab-ci.yml
JenkinsSelf-hosted pipelinesEnterprise; custom SDD stagesjenkinsfile with spec stage
CircleCICloud CI/CDAlternative to GitHub ActionsCreate .circleci/config.yml

Spec Validation Pipeline (GitHub Actions)

# .github/workflows/sdd-validate.yml
name: SDD Validate
on: [push, pull_request]
jobs:
  spec-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Check spec completeness
        run: |
          # Ensure no [NEEDS CLARIFICATION] in specs/
          ! grep -r "NEEDS CLARIFICATION" specs/ || exit 1
      - name: Vale lint specs
        run: |
          npm install -g vale
          vale specs/
  contract-test:
    runs-on: ubuntu-latest
    needs: spec-check
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
      - run: npm ci
      - run: npm run build
      - run: npm run test:contract

GitLab CI Spec Validation

# .gitlab-ci.yml
stages:
  - validate
  - test

validate:spec:
  stage: validate
  script:
    - ! grep -r "NEEDS CLARIFICATION" specs/ || exit 1
    - vale specs/

test:contract:
  stage: test
  script:
    - npm run test:contract

8. Observability

ToolWhat It DoesWhen to Use in SDDGetting Started
OpenTelemetryVendor-neutral tracing, metrics, logsInstrument generated code; spec-driven metricsnpm install @opentelemetry/api
GrafanaDashboards, alertingVisualize spec-defined metricsdocker run -d grafana/grafana
PrometheusMetrics collection, alertingScrape spec-defined metricsdocker run -d prom/prometheus
DataDogAPM, logs, metricsManaged observability; SDD dashboardsnpm install dd-trace
JaegerDistributed tracingTrace spec-defined spansdocker run -d jaegertracing/all-in-one
LokiLog aggregationQuery spec-defined log fieldsdocker run -d grafana/loki

SDD-Specific Observability Configuration

Spec SectionOTel InstrumentationGrafana Panel
Observability RequirementsMetrics from telemetry.mdDashboard from telemetry.md
LogsStructured logger with trace_idLog explorer
AlertsAlertmanager rulesAlert thresholds
MetricsCounter, Histogram, GaugePanels per metric

One-Line Commands

# OpenTelemetry Node
npm install @opentelemetry/sdk-node @opentelemetry/auto-instrumentations-node

# Grafana (Docker)
docker run -d -p 3000:3000 grafana/grafana

# Prometheus
docker run -d -p 9090:9090 prom/prometheus

9. Security Scanning

ToolWhat It DoesWhen to Use in SDDGetting Started
SnykDependency + code vulnerability scanningScan AI-generated dependencies; enforce SEC-*snyk test
SemgrepStatic analysis with custom rulesEnforce security constraints; catch AI mistakessemgrep scan --config auto
TrivyContainer + dependency scanningScan Docker images from generated Dockerfilestrivy image [image]
SonarQubeCode quality, security, duplicationBroader quality gate for generated codesonar-scanner
npm auditNode dependency vulnerabilitiesQuick check for JS projectsnpm audit

AI-Generated Code Review Focus

ConstraintToolRule/Check
No hardcoded secretsSemgrepDetect API keys, passwords
Parameterized queriesSemgrepSQL injection patterns
Auth on endpointsSemgrepRoute without auth middleware
Dependency vulnsSnyk, npm auditCVE in deps
Container vulnsTrivyBase image CVEs

One-Line Commands

# Snyk
npx snyk test

# Semgrep
pip install semgrep && semgrep scan --config auto .

# Trivy
docker run aquasec/trivy image [your-image]

10. Documentation

ToolWhat It DoesWhen to Use in SDDGetting Started
DocusaurusReact-based doc sitePublish specs as docs; versionednpx create-docusaurus@latest
MkDocsPython-based doc siteLightweight; Markdown-nativepip install mkdocs
VitePressVite-powered static docsFast; Vue-basednpm create vitepress@latest
GitBookHosted documentationQuick publish; collaborationgitbook.com
Read the DocsHosted MkDocsFree hosting for open sourcereadthedocs.org

Publishing Specifications

ApproachToolUse Case
Specs as docsDocusaurus, MkDocsInternal/external spec portal
Versioned specsDocusaurus versioningSpec history per release
SearchAlgolia DocSearchFind specs by keyword
API docsOpenAPI → Redoc/Swaggercontracts/ as API docs

MkDocs for Specs

# mkdocs.yml
site_name: Project Specs
nav:
  - Home: index.md
  - Specs:
    - Feature 001: specs/001-password-reset/spec.md
    - Feature 002: specs/002-invitations/spec.md
  - Plans:
    - Feature 001: specs/001-password-reset/plan.md
pip install mkdocs mkdocs-material
mkdocs serve

Complete Tool Stack Summary Table

LayerCategoryToolsNotes
1Specification AuthoringVS Code/Cursor, Vale, markdownlint, Nunjucks, MermaidVale for prose; Mermaid for diagrams
2AI Coding AgentsCursor, Claude Code, Windsurf, CopilotCursor primary for SDD
3Agent ConfigurationSKILL.md, AGENTS.md, .cursor/rules, .cursorrulesHierarchy: AGENTS → rules → RULE
4Version ControlGit, GitHub, GitLabBranch per feature; spec-first PRs
5TestingVitest, Playwright, Pytest, Cucumber, fast-check, HypothesisMap to spec: AC, edge cases, NFRs
6Contract TestingPact, Specmatic, Prism, DreddSpecmatic for contract-first SDD
7CI/CDGitHub Actions, GitLab CISpec validation + contract tests
8ObservabilityOpenTelemetry, Grafana, Prometheus, DataDogtelemetry.md → instrumentation
9Security ScanningSnyk, Semgrep, TrivyAI-generated code review
10DocumentationDocusaurus, MkDocs, VitePressPublish specs as living docs

Quick Reference: One-Line Commands by Layer

LayerCommand
1vale specs/
2cursor .
3(Create files manually)
4git checkout -b 004-feature-name
5npx vitest run | npx playwright test | pytest tests/
6npx dredd contract.yaml http://localhost:3000
7gh workflow run sdd-validate
8docker run -d -p 3000:3000 grafana/grafana
9npx snyk test | semgrep scan --config auto .
10mkdocs serve | npm run docs:dev

Tool Selection Decision Tree

Need to write specs?           → Cursor + Vale + Mermaid
Need AI to implement?           → Cursor (primary) or Claude Code
Need to constrain AI?           → SKILL.md + .cursor/rules + constitution
Need spec versioning?           → Git + branch per feature
Need to validate implementation? → Contract tests (Dredd/Specmatic) + Integration (Vitest)
Need to validate NFRs?          → k6/Artillery + Grafana
Need to scan AI code?           → Semgrep + Snyk
Need to publish specs?          → MkDocs or Docusaurus

SDD Pipeline Integration Examples

Example 1: Full SDD Pipeline with GitHub Actions

name: SDD Full Pipeline
on:
  push:
    branches: [main, '*-*']
  pull_request:
    branches: [main]
jobs:
  validate-specs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Check for unresolved clarifications
        run: |
          if grep -r "NEEDS CLARIFICATION" specs/ 2>/dev/null; then
            echo "Unresolved [NEEDS CLARIFICATION] found"
            exit 1
          fi
      - name: Vale lint
        uses: errata-ai/vale-action@v2
        with:
          files: specs/
  contract-tests:
    runs-on: ubuntu-latest
    needs: validate-specs
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'npm'
      - run: npm ci
      - run: npm run build
      - run: npm run test:contract
  integration-tests:
    runs-on: ubuntu-latest
    needs: contract-tests
    services:
      postgres:
        image: postgres:16
        env:
          POSTGRES_PASSWORD: test
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
      - run: npm ci
      - run: npm run test:integration

Example 2: Spec-to-Deploy with Observability

For production SDD deployments, ensure telemetry from telemetry.md is instrumented:

  1. Build: Compile with OpenTelemetry auto-instrumentation
  2. Deploy: Container includes OTel collector config
  3. Verify: Grafana dashboard from spec matches deployed metrics
  4. Alert: Alertmanager rules from spec thresholds

Example 3: Multi-Agent SDD Workflow

AgentConfigResponsibility
Spec AgentAGENTS.md roleExpands user prompt → spec.md
Plan Agent.cursor/rules/plan.mdcspec.md → plan.md, contracts
Task Agent.cursor/rules/tasks.mdcplan.md → tasks.md
Impl Agent.cursor/rules/impl.mdctasks.md → code

Each agent loads constitution + domain constraints. Handoff via files in specs/[branch]/.

Tool Version Compatibility (2026)

Tool / StandardRecommended VersionNotes
Node.js20 LTS or newer LTSFor Vitest, Playwright, and most JS tooling
Python3.11+For Pytest, Hypothesis, MkDocs
Vale3.xProse linting
OpenTelemetry1.xStable telemetry API
Playwright1.40+E2E testing
Docusaurus3.xDoc publishing
OpenAPI3.2REST contract baseline
AsyncAPI3.1Event-driven contracts
MCP2025-06-18 spec line or newerTool/context interoperability for agents
SLSA1.1Supply-chain assurance guidance for CI/CD
SBOMSPDX 3.0 or CycloneDX 1.6Dependency and artifact traceability

Previous: Appendix A - Specification Templates | Next: Appendix C - 2026 Updates for Spec-Driven Development