Memory Without Enforcement is Dangerous — Why I Built SpecLock

#ai #webdev #programming #opensource

I spent a year building products with AI coding tools. Bolt.new, Claude Code, Cursor — I used them all, every day.

The AI was great at writing code. Terrible at respecting boundaries.

## The Pattern That Kept Repeating

Session 1: "Never touch the auth files."
Session 3: Auth is completely rewritten.

Session 2: "We're using PostgreSQL."
Session 5: "I've migrated you to MongoDB — it seemed better."

Session 1: "The API uses Bearer tokens."
Session 7: "I switched to session cookies for simplicity."

Every. Single. Time.

## "But AI Has Memory Now"

Yes — Claude Code shipped native memory in February 2026. Cursor has Memory Bank. Mem0 exists.

But here's what nobody talks about: memory without enforcement is dangerous.

Your AI "remembers" your rules in a text file. But when the context gets long, it ignores them. When a fix seems easier by breaking your
constraint, it breaks it. When it "knows better," it overrides your decision.

Remembering is not the same as respecting.

## What I Built

I built SpecLock — an open source constraint engine that adds active enforcement on top of
persistent memory.

When your AI tries to violate something you locked, SpecLock stops it:

You: "Never touch auth files"
AI: 🔒 Locked.

... 5 sessions later ...

You: "Add social login to the login page"
AI: ⚠️ CONFLICT — this violates your lock "Never modify auth files"
Proceed or find another approach?

No other tool does this. Not Claude's native memory. Not Mem0. Not .cursorrules files.

## How It Works

SpecLock uses semantic conflict detection — not just keyword matching:

Synonym expansion (15 groups): "remove" matches "delete", "drop", "eliminate"
Negation detection: understands "never", "don't", "no" in lock text
Destructive action flagging: catches "rewrite", "replace", "overhaul"

So "remove the login endpoints" correctly triggers against a lock about "never modify auth files" — because it understands auth, login,
endpoints, and remove are all related.

## The Bolt.new Breakthrough

This is what I'm most excited about.

Bolt.new has millions of users. Zero memory solutions. Every chat starts from scratch.

With SpecLock, you just say in any Bolt project:

"Install speclock and set up project memory"

Bolt automatically:

Runs npx speclock setup
Reads the generated rules file
Starts capturing goals, decisions, and constraints
Next session: reads the context file and remembers everything

I tested it — Bolt ran 17 commands automatically on first install. In Session 2, it read the context file and created a plan that respected
all 6 locks and 7 decisions from Session 1.

No MCP needed. No config. No paste.

## Works Everywhere

| Platform | How |
|----------|-----|
| Bolt.new | npx speclock setup — npm file-based mode |
| Claude Code | MCP config — 19 tools |
| Cursor | MCP config |
| Lovable | MCP URL — no install |
| Windsurf / Cline | MCP config |

## Free and Open Source