app-spec-packager
App Spec Packager
Create complete, production-ready specification packages that coding agents can use to build applications without needing timelines, storypoints, budgets, or sprint planning.
Default output
Create a Markdown package folder and, when artifact/file output is available, also create a zip. Use this default structure unless the user asks otherwise:
[app-slug]-spec/
README.md
PRODUCT_SPEC.md
UX_FLOWS.md
DESIGN_SYSTEM_SPEC.md
TECH_ARCHITECTURE.md
ADRS.md
AI_SPEC.md # only if AI/automation/model behavior is relevant
SAFETY_PRIVACY_SECURITY.md
API_AND_DATA_MODEL.md
CLIENT_IMPLEMENTATION_SPEC.md
BACKEND_IMPLEMENTATION_SPEC.md # only if backend/API/server work is relevant
SUBSCRIPTION_BILLING_SPEC.md # only if monetization/payments are relevant
ANALYTICS_OBSERVABILITY_SPEC.md
QA_ACCEPTANCE_TESTS.md
RELEASE_READINESS.md
TASKS.md
REFERENCES.md # include only when research or external facts were used
Use scripts/create_spec_package.py to scaffold the package when helpful, then fill every file with application-specific content.
Core workflow
- Capture the app intent, platform, target users, core workflows, data sensitivity, AI needs, monetization, integrations, and launch constraints.
- Ask only blocking questions. If the user has already given enough context, proceed and mark assumptions explicitly.
- Research current facts when the spec depends on recent platform rules, SDK versions, app store rules, laws, payments, AI providers, security requirements, or framework best practices. Prefer official sources. Put citations and source notes in
REFERENCES.md. - Choose the relevant document set. Omit docs that are truly irrelevant, but keep privacy/security, QA, and tasks for production builds.
- Write requirements as precise, testable statements with stable IDs.
- Convert the spec into executable tasks for coding agents. Every task needs acceptance criteria and tests.
- Validate the package against
references/validation-checklist.mdbefore final output.
Reference loading
Read these files as needed:
references/document-blueprints.md: full section templates for each generated document.references/platform-modules.md: platform-specific concerns for iOS, Android, web, backend, AI, payments, B2B, and regulated products.references/safety-privacy.md: mandatory when the app has accounts, AI, payments, minors, health, mental health, financial/legal advice, location, biometrics, UGC, sensitive data, or safety risk.references/task-taxonomy.md: mandatory before writingTASKS.md.references/validation-checklist.md: mandatory before finalizing.
Writing rules
- Do not include storypoints, budget, timelines, Gantt charts, sprint plans, or staffing plans unless explicitly requested.
- Do not produce vague epics. Produce concrete build tasks.
- Do not over-ask. Use assumptions when safe and reversible.
- Do not bury non-goals. Put them near the top of
PRODUCT_SPEC.mdand repeat critical ones inTASKS.mdas "Do not do" constraints. - Do not use placeholders for known information. Use placeholders only for genuinely unknown values and list them in an "Open decisions" section.
- Do not make legal, medical, financial, or app-review certainty claims. Specify compliance requirements and mark them for legal or platform review.
- Do not recommend storing sensitive content by default. Minimize data, separate local/server/provider data, and define retention.
- Do not call third-party AI providers directly from client apps unless the app is a prototype and the user explicitly accepts that risk.
- Do not create community, UGC, payments, AI memory, location tracking, biometric capture, or health data flows without explicit safety/privacy requirements.
Requirements style
Use stable IDs:
REQ-PROD-001
REQ-UX-001
REQ-ARCH-001
REQ-AI-001
REQ-SEC-001
REQ-API-001
REQ-IOS-001
REQ-WEB-001
REQ-BE-001
REQ-QA-001
Every major requirement should answer:
What must happen?
When does it happen?
Who or what triggers it?
Where is state stored?
What are the edge cases?
How is it tested?
What must never happen?
Task style
Use the task template from references/task-taxonomy.md. A good task includes:
Task ID
Title
Goal
Context
Requirements
Files or areas likely involved
Acceptance criteria
Tests
Dependencies
Do not do
Make tasks implementable by coding agents with minimal back-and-forth. Prefer small, verifiable tasks over broad epics.
Production default assumptions
Use these defaults unless user context contradicts them:
- Prefer native client stacks when platform quality depends on deep platform integration.
- Prefer typed languages, explicit API contracts, migrations, and automated tests.
- Prefer backend mediation for AI, billing, rate limits, and sensitive integrations.
- Prefer local-first or data-minimized designs for sensitive applications.
- Prefer provider abstraction for AI and payments where lock-in is avoidable.
- Prefer no sensitive analytics. Track product events without content or sensitive categories.
- Include accessibility, localization readiness, error states, offline states, observability, deletion/export, and release readiness.
Final response
Return links to the generated folder or zip. Briefly state what was created and call out any assumptions or items that require legal/platform/security review.
More from regenrek/agent-skills
shellck
Run shellcheck on shell scripts after editing scripts or when debugging shell errors. Use for linting scripts in a repo (especially scripts/), catching issues like set -u with unset vars, bad subshell usage, or quoting mistakes.
3gh-repo-bootstrap
Create a new GitHub repository with the gh CLI and bootstrap a local project in ~/projects with git init, README, remote setup, and initial push. Use when the user asks to create a repo (public/private) in their account, set up the local folder, add the upstream remote, and push the first commit.
3find-duplicate-ownership
Find duplicate ownership, hidden second sources of truth, and contract drift in layered codebases. Use when reviewing normalization, validation, defaulting, canonicalization, persistence mapping, runtime-vs-durable state, duplicated helpers, query or cache ownership, or any "who owns this rule?" architecture question. Especially useful for SSOT audits across frontend, backend, shared core, and adapter layers, and when the user explicitly asks for duplicate-ownership exploration with subagents.
3security-leak-guardrails
Sets up secret-leak prevention guardrails with forbidden path checks, gitleaks config, CI secret scanning, and dependency updates. Use when hardening repos against credential leaks or when adding gitleaks, trufflehog, git hooks, or security checks.
3gitwhat
Concise git workspace snapshot for the current directory. Use when asked to show current branch, cwd, repo root, whether the current directory is a worktree, local dirty status, or whether other worktrees have uncommitted changes.
1