fix: resolve remaining PR1690 review threads

Author: medhatgalal

.devcontainer/post-create.sh

@@ -54,6 +54,7 @@ echo "✅ Done"
 echo -e "\n🤖 Installing Kiro CLI..."
 # https://kiro.dev/docs/cli/
 KIRO_INSTALLER_URL="https://cli.kiro.dev/install"
+KIRO_INSTALLER_SHA256="7487a65cf310b7fb59b357c4b5e6e3f3259d383f4394ecedb39acf70f307cffb"
 KIRO_INSTALLER_PATH="$(mktemp)"
 
 cleanup_kiro_installer() {
@@ -62,17 +63,7 @@ cleanup_kiro_installer() {
 trap cleanup_kiro_installer EXIT
 
 run_command "curl -fsSL \"$KIRO_INSTALLER_URL\" -o \"$KIRO_INSTALLER_PATH\""
-
-if [ -n "${KIRO_INSTALLER_SHA256:-}" ]; then
-  run_command "echo \"$KIRO_INSTALLER_SHA256  $KIRO_INSTALLER_PATH\" | sha256sum -c -"
-elif [ "${KIRO_SKIP_KIRO_INSTALLER_VERIFY:-0}" = "1" ]; then
-  echo -e "\033[0;33m[WARN] KIRO_INSTALLER_SHA256 is not set; proceeding without installer checksum verification.\033[0m" >&2
-  echo -e "\033[0;33m[WARN] Set KIRO_INSTALLER_SHA256 to enforce verification, or intentionally override with KIRO_SKIP_KIRO_INSTALLER_VERIFY=1.\033[0m" >&2
-else
-  echo -e "\033[0;31m[ERROR] Refusing to run unverified Kiro installer.\033[0m" >&2
-  echo -e "\033[0;31mSet KIRO_INSTALLER_SHA256 (recommended) or explicitly set KIRO_SKIP_KIRO_INSTALLER_VERIFY=1 to proceed.\033[0m" >&2
-  exit 1
-fi
+run_command "echo \"$KIRO_INSTALLER_SHA256  $KIRO_INSTALLER_PATH\" | sha256sum -c -"
 
 run_command "bash \"$KIRO_INSTALLER_PATH\""
 

src/specify_cli/__init__.py

@@ -1489,8 +1489,9 @@ def init(
                 if skills_ok and not here:
                     agent_cfg = AGENT_CONFIG.get(selected_ai, {})
                     agent_folder = agent_cfg.get("folder", "")
+                    commands_subdir = agent_cfg.get("commands_subdir", "commands")
                     if agent_folder:
-                        cmds_dir = project_path / agent_folder.rstrip("/") / "commands"
+                        cmds_dir = project_path / agent_folder.rstrip("/") / commands_subdir
                         if cmds_dir.exists():
                             try:
                                 shutil.rmtree(cmds_dir)

tests/test_agent_config_consistency.py

@@ -62,6 +62,14 @@ def test_init_ai_help_includes_roo_and_kiro_alias(self):
         assert "roo" in AI_ASSISTANT_HELP
         assert "Use 'kiro' as an alias for 'kiro-cli'." in AI_ASSISTANT_HELP
 
+    def test_devcontainer_kiro_installer_uses_pinned_checksum(self):
+        """Devcontainer installer should always verify Kiro installer via pinned SHA256."""
+        post_create_text = (REPO_ROOT / ".devcontainer" / "post-create.sh").read_text(encoding="utf-8")
+
+        assert 'KIRO_INSTALLER_SHA256="7487a65cf310b7fb59b357c4b5e6e3f3259d383f4394ecedb39acf70f307cffb"' in post_create_text
+        assert "sha256sum -c -" in post_create_text
+        assert "KIRO_SKIP_KIRO_INSTALLER_VERIFY" not in post_create_text
+
     def test_release_output_targets_kiro_prompt_dir(self):
         """Packaging and release scripts should no longer emit amazonq artifacts."""
         sh_text = (REPO_ROOT / ".github" / "workflows" / "scripts" / "create-release-packages.sh").read_text(encoding="utf-8")

tests/test_ai_skills.py

@@ -465,8 +465,9 @@ def _fake_extract(self, agent, project_path, **_kwargs):
         """Simulate template extraction: create agent commands dir."""
         agent_cfg = AGENT_CONFIG.get(agent, {})
         agent_folder = agent_cfg.get("folder", "")
+        commands_subdir = agent_cfg.get("commands_subdir", "commands")
         if agent_folder:
-            cmds_dir = project_path / agent_folder.rstrip("/") / "commands"
+            cmds_dir = project_path / agent_folder.rstrip("/") / commands_subdir
             cmds_dir.mkdir(parents=True, exist_ok=True)
             (cmds_dir / "speckit.specify.md").write_text("# spec")
 
@@ -496,6 +497,30 @@ def fake_download(project_path, *args, **kwargs):
         cmds_dir = target / ".claude" / "commands"
         assert not cmds_dir.exists()
 
+    def test_new_project_nonstandard_commands_subdir_removed_after_skills_succeed(self, tmp_path):
+        """For non-standard agents, configured commands_subdir should be removed on success."""
+        from typer.testing import CliRunner
+
+        runner = CliRunner()
+        target = tmp_path / "new-kiro-proj"
+
+        def fake_download(project_path, *args, **kwargs):
+            self._fake_extract("kiro-cli", project_path)
+
+        with patch("specify_cli.download_and_extract_template", side_effect=fake_download), \
+             patch("specify_cli.ensure_executable_scripts"), \
+             patch("specify_cli.ensure_constitution_from_template"), \
+             patch("specify_cli.install_ai_skills", return_value=True) as mock_skills, \
+             patch("specify_cli.is_git_repo", return_value=False), \
+             patch("specify_cli.shutil.which", return_value="/usr/bin/git"):
+            result = runner.invoke(app, ["init", str(target), "--ai", "kiro-cli", "--ai-skills", "--script", "sh", "--no-git"])
+
+        assert result.exit_code == 0
+        mock_skills.assert_called_once()
+
+        prompts_dir = target / ".kiro" / "prompts"
+        assert not prompts_dir.exists()
+
     def test_commands_preserved_when_skills_fail(self, tmp_path):
         """If skills fail, commands should NOT be removed (safety net)."""
         from typer.testing import CliRunner