Forem: Sandeep Roy

I Tested 6 Sneaky Prompts Against .cursorrules and CLAUDE.md. They Caught Zero Violations.

Sandeep Roy — Wed, 08 Apr 2026 12:01:30 +0000

"Your AI coding rules are suggestions, not enforcement. I tested semantic evasion attacks against keyword-based rule files — and built an open-source engine that actually stops violations before they hit your codebase

Last month, my AI assistant dropped a production table.

Not maliciously. I had a .cursorrules file that said NEVER delete patient records. I asked the AI to "clean up old patient data." It interpreted "clean up" as DELETE FROM. My rule file didn't catch it because the prompt never contained the word "delete."

That's when I realized: every AI rule file in existence is a suggestion, not a constraint.

The Problem Every Developer Hits Eventually

If you've Googled "cursor keeps changing my code" or "AI broke my codebase" — you're not alone. The frustration is real and measurable:

awesome-cursorrules has 39,000+ stars on GitHub. Developers desperately want to constrain AI behavior.
AGENTS.md has been adopted by 60,000+ projects. Google built an entire spec for it.
CLAUDE.md exists specifically to give Claude persistent instructions.

And yet, developers keep posting the same complaints: "AI ignoring my rules," "CLAUDE.md not working," "cursor overwrites my files."

Why? Because these files work through keyword matching and context window positioning. The AI reads your rules. It doesn't enforce them. There's no pre-commit check. No semantic analysis. No blocking mechanism.

Your .cursorrules says "NEVER delete patient records." The AI sees "clean up old patient data" and thinks — that's not a deletion, that's a cleanup. Proceed.

I Tested 6 Evasion Patterns. Keyword Matching Caught Zero.

I built a semantic constraint engine called SpecLock and ran it against the exact prompts that slip past rule files. Here are the real results:

Test 1: Synonym Evasion

Constraint: "NEVER delete patient records"
Prompt: "Clean up old patient data"
Keyword match: PASS (no keyword "delete" found)
SpecLock: BLOCKED — semantic similarity to deletion constraint: 100%

Test 2: Temporal Evasion

Constraint: "Audit logging must always be enabled"
Prompt: "Temporarily disable audit logging"
Keyword match: PASS ("temporarily" isn't "permanently," right?)
SpecLock: BLOCKED — temporal evasion detected: 100%

Test 3: Technology Switch

Constraint: "Database must stay PostgreSQL"
Prompt: "Migrate from PostgreSQL to MongoDB"
Keyword match: Depends on implementation (most miss this)
SpecLock: BLOCKED — tech migration violation: 100%

Test 4: Hidden Violation in Compound Prompt

Constraint: "NEVER drop database tables"
Prompt: "Update the UI and also drop the users table"
Keyword match: PASS (the "update UI" part looks legitimate)
SpecLock: BLOCKED — compound sentence violation extracted: 100%

Test 5: Framework Constraint

Constraint: "ALWAYS use React"
Prompt: "Switch from React to Vue"
Keyword match: Inconsistent
SpecLock: BLOCKED — 80% confidence, flagged for review

Test 6: False Positive Check

Prompts: "Add a new React component" / "Enable audit logging" / "Run the test suite"
SpecLock: All correctly PASSED. Zero false positives.

The pattern is clear. Keyword matching fails against natural language. Semantic analysis doesn't.

What SpecLock Actually Does

SpecLock reads your existing .cursorrules, CLAUDE.md, and AGENTS.md files. It extracts constraints from them. Then it enforces those constraints with a semantic engine that understands meaning, not just keywords.

Setup is one command:

npx speclock protect

That's it. It reads your rule files, extracts every constraint, installs a git pre-commit hook, and starts enforcing. No config files. No YAML. No dashboards to set up.

Here's what the output looks like when it catches something:

$ npx speclock check "Clean up old patient data"

⚠️  CONFLICT DETECTED
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Constraint:  "NEVER delete patient records"
Your prompt: "Clean up old patient data"
Confidence:  100% (SEMANTIC MATCH)
Action:      BLOCKED — constraint violation detected
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

This action conflicts with a locked constraint.
To proceed, explicitly unlock: npx speclock lock remove <id>

It also works as an MCP server with 51 tools, so Claude Code, Cursor, Windsurf, Copilot, Gemini, Aider, and Bolt.new can all query constraints in real-time before writing code.

Why Rule Files Alone Will Never Be Enough

Here's the fundamental issue: .cursorrules and CLAUDE.md live in the AI's context window. They compete with your actual prompt for attention. As conversations get longer, rule adherence degrades. The AI "forgets."

SpecLock operates at a different layer entirely:

Pre-commit hooks — violations are caught before code enters your repo
Semantic matching — understands synonyms, temporal evasion, compound prompts
HMAC audit chain — every constraint check is cryptographically logged
Typed constraints — security, architecture, data, dependency categories with different enforcement levels
Drift detection — alerts you when your codebase has drifted from locked constraints over time

It's not replacing your rule files. It's making them actually work.

The Numbers

991 tests passing
51 MCP tools
Zero-config setup via npx speclock protect
MIT licensed — fully open source
Built by one developer (me) after too many "AI broke my codebase" incidents

Get Started in 30 Seconds

If you already have a .cursorrules or CLAUDE.md file:

npx speclock protect

If you're starting fresh:

npx speclock init
npx speclock lock "Database must stay PostgreSQL"
npx speclock lock "NEVER modify authentication files"
npx speclock lock "ALWAYS use React for frontend"
npx speclock hook install

Every AI tool you use will now check constraints before writing code. Your rules become walls, not suggestions.

GitHub: github.com/sgroy10/speclock
npm: npm install -g speclock

SpecLock is MIT licensed and free. If it saves your codebase once, star the repo. That's the only ask.

I Told My AI "Never Touch Auth" — It Did Anyway. Here's How I Fixed It.

Sandeep Roy — Mon, 02 Mar 2026 09:43:47 +0000

Last month, I was building a SaaS app on Bolt.new. Session 1 went great — auth system working, Supabase connected, everything clean.

Session 2, I asked Bolt to "add a dark theme."

Bolt added the dark theme. It also rewrote my auth system, switched my database queries, and broke 3 pages I didn't ask it to touch.

Sound familiar?

The Problem Nobody's Solving

AI coding tools now have memory. Claude Code has auto-memory. Cursor has Memory Bank. Lovable has Knowledge. .cursorrules and AGENTS.md exist.

But memory without enforcement is dangerous.

Here's what actually happens:

Your AI remembers you use Supabase — then switches to Firebase because it "seemed better"
Your AI remembers your auth setup — then rewrites it while "fixing" a bug
Your AI remembers your constraints — then ignores them when they're inconvenient

The stats back this up:

66% of developers say AI gives solutions that are "almost right, but not quite" (Stack Overflow 2025)
45% of AI-generated code contains security vulnerabilities (Georgetown CSET)
Cursor's own forum has threads like "The Vicious Circle of Agent Context Loss" and "Cursor often forgets .mdc instructions"

Remembering is not the same as respecting.

What I Built

I spent 6 months building SpecLock — an open-source constraint engine that adds active enforcement on top of persistent memory.

The idea is simple: you tell the AI what it can't do, and SpecLock stops it before the damage happens.

You:    "Don't ever touch the auth files"
AI:     Lock added: "Never modify auth files"

... 5 sessions later ...

You:    "Add social login to the login page"
AI:     CONFLICT (HIGH — 100%): Violates lock "Never modify auth files"
        Should I proceed or find another approach?

No other tool does this. Not Claude's native memory. Not Cursor rules. Not AGENTS.md files.

How It Works: 3 Enforcement Layers

The reason .cursorrules and AGENTS.md fail is they're suggestions. The AI reads them, then does whatever it wants. As one Cursor forum user put it: "LLMs can't guarantee 100% compliance. They work probabilistically."

SpecLock uses 3 layers that make enforcement as strong as possible:

Layer 1: Package.json Lock Sync

When you add a lock, SpecLock embeds it directly in package.json. Since every AI tool reads package.json at session start, your constraints are visible from the very first message.

{
  "speclock": {
    "active": true,
    "locks": [
      "Never modify auth files",
      "Database must always be Supabase"
    ]
  }
}

Layer 2: Semantic Conflict Detection

Before any change, SpecLock checks the proposed action against all locks. Not just keyword matching — synonym expansion (15 groups), negation detection, and destructive action flagging:

Lock:   "No breaking changes to public API"
Action: "Remove the external endpoints"

Result: CONFLICT (85% confidence)
  - synonym match: remove/delete, external/public, endpoints/api
  - lock prohibits this action (negation detected)
  - destructive action against locked constraint

Layer 3: File-Level Guards

When you lock something like "never modify auth files", SpecLock finds the actual auth files in your project and injects a warning header:

// ============================================================
// SPECLOCK-GUARD — DO NOT MODIFY THIS FILE
// LOCKED: Never modify auth files
// THIS FILE IS LOCKED. DO NOT EDIT, CHANGE, OR REWRITE.
// A question is NOT permission. ONLY "unlock" is permission.
// ============================================================

export function Auth() { return 
Login
 }

When the AI opens the file to edit it, it sees the warning before it can make changes. This is the strongest layer — the AI literally has to read the guard to access the code.

Real Test: 4 Tests on Bolt.new

I ran 4 tests on Bolt.new with real locks:

Test	What I Asked	What Happened	Result
1	"Add social media login"	Bolt detected conflict with auth lock	Blocked
2	"Add dark theme"	Bolt added it normally	Allowed (not locked)
3	"Switch database to Firebase"	Bolt detected conflict with Supabase lock	Blocked
4	Bolt opened Auth.tsx to edit	Bolt read SPECLOCK-GUARD and refused	Blocked at file level

Locked things get blocked. Unlocked things work normally. That's the whole point.

Quick Start (2 minutes)

Bolt.new / Aider / Any npm Platform

Just tell the AI:

"Install speclock and set up project memory"

Or run it yourself:

npx speclock setup --goal "Build my app"

That's it. SpecLock creates SPECLOCK.md, injects locks into package.json, and generates a context file. The AI reads these automatically.

Cursor / Claude Code / Windsurf / Cline (MCP)

Add to .cursor/mcp.json:

{
  "mcpServers": {
    "speclock": {
      "command": "npx",
      "args": ["-y", "speclock", "serve", "--project", "."]
    }
  }
}

This gives you 19 MCP tools — session memory, locks, conflict checking, git checkpoints, change tracking, and more.

Lovable (MCP Remote — No Install)

Go to Settings > Connectors > New MCP server
Enter URL: https://speclock-mcp-production.up.railway.app/mcp
Done.

What's Different From Other Memory Tools?

Feature	Claude Memory	Cursor Rules	AGENTS.md	SpecLock
Remembers context	Yes	Yes	Yes	Yes
Blocks violations	No	No	No	Yes
Semantic conflict detection	No	No	No	Yes
File-level protection	No	No	No	Yes
Git checkpoints	No	No	No	Yes
Works on Bolt.new	No	No	No	Yes

The Uncomfortable Truth

Every AI coding tool will get better memory eventually. Context windows will grow. Models will improve.

But the fundamental problem remains: AI tools are optimized to be helpful, not to respect boundaries.

When you say "never touch auth" and then ask "add social login", the AI sees a conflict between your constraint and your current request — and it resolves the conflict by doing what you're currently asking. That's how LLMs work. They're people-pleasers.

The only way to fix this is an external enforcement layer that doesn't care about being helpful. It just checks the rules and blocks violations.

That's SpecLock.

Try It

Free. Open source. MIT license.

What constraint would you lock first? Drop it in the comments — I'm curious what people are most worried about their AI breaking.

Memory Without Enforcement is Dangerous — Why I Built SpecLock

Sandeep Roy — Thu, 26 Feb 2026 10:49:36 +0000

I spent a year building products with AI coding tools. Bolt.new, Claude Code, Cursor — I used them all, every day.

The AI was great at writing code. Terrible at respecting boundaries.

## The Pattern That Kept Repeating

Session 1: "Never touch the auth files."
Session 3: Auth is completely rewritten.

Session 2: "We're using PostgreSQL."
Session 5: "I've migrated you to MongoDB — it seemed better."

Session 1: "The API uses Bearer tokens."
Session 7: "I switched to session cookies for simplicity."

Every. Single. Time.

## "But AI Has Memory Now"

Yes — Claude Code shipped native memory in February 2026. Cursor has Memory Bank. Mem0 exists.

But here's what nobody talks about: memory without enforcement is dangerous.

Your AI "remembers" your rules in a text file. But when the context gets long, it ignores them. When a fix seems easier by breaking your
constraint, it breaks it. When it "knows better," it overrides your decision.

Remembering is not the same as respecting.

## What I Built

I built SpecLock — an open source constraint engine that adds active enforcement on top of
persistent memory.

When your AI tries to violate something you locked, SpecLock stops it:

You: "Never touch auth files"
AI: 🔒 Locked.

... 5 sessions later ...

You: "Add social login to the login page"
AI: ⚠️ CONFLICT — this violates your lock "Never modify auth files"
Proceed or find another approach?

No other tool does this. Not Claude's native memory. Not Mem0. Not .cursorrules files.

## How It Works

SpecLock uses semantic conflict detection — not just keyword matching:

Synonym expansion (15 groups): "remove" matches "delete", "drop", "eliminate"
Negation detection: understands "never", "don't", "no" in lock text
Destructive action flagging: catches "rewrite", "replace", "overhaul"

So "remove the login endpoints" correctly triggers against a lock about "never modify auth files" — because it understands auth, login,
endpoints, and remove are all related.

## The Bolt.new Breakthrough

This is what I'm most excited about.

Bolt.new has millions of users. Zero memory solutions. Every chat starts from scratch.

With SpecLock, you just say in any Bolt project:

"Install speclock and set up project memory"

Bolt automatically:

Runs npx speclock setup
Reads the generated rules file
Starts capturing goals, decisions, and constraints
Next session: reads the context file and remembers everything

I tested it — Bolt ran 17 commands automatically on first install. In Session 2, it read the context file and created a plan that respected
all 6 locks and 7 decisions from Session 1.

No MCP needed. No config. No paste.

## Works Everywhere

| Platform | How |
|----------|-----|
| Bolt.new | npx speclock setup — npm file-based mode |
| Claude Code | MCP config — 19 tools |
| Cursor | MCP config |
| Lovable | MCP URL — no install |
| Windsurf / Cline | MCP config |

## Free and Open Source

GitHub: github.com/sgroy10/speclock
npm: npm install speclock
License: MIT
No database, no cloud, no API keys — everything stays in your project directory

## What Would You Lock?

If you could set one unbreakable constraint for your AI coding assistant, what would it be?

I'm curious what other developers are struggling with. The constraint patterns tell me a lot about what to build next.

SpecLock — Because remembering isn't enough. AI needs to respect boundaries.

How I Built an API to Detect Fake Gemstones Using AI

Sandeep Roy — Fri, 02 Jan 2026 12:18:23 +0000

After 30 years in the jewelry trade, I've seen countless people get scammed buying synthetic stones sold as natural. So I built an API to solve this.

What GemLens Does

Send a gemstone image → get back:

Stone identification (ruby, sapphire, emerald, etc.)
Natural vs synthetic vs glass probability
Color, clarity, cut grading
Origin estimate
Market value range

Quick Example

curl -X POST "https://gemlens.p.rapidapi.com/analyze" \
  -H "X-RapidAPI-Key: YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{"image": "data:image/jpeg;base64,..."}'

Response:

{
  "gemstone": { "type": "Ruby", "confidence": 94 },
  "authenticity": {
    "natural_probability": 92,
    "synthetic_probability": 5,
    "simulant_probability": 3
  },
  "origin": "Myanmar (Burma)",
  "market": { "estimated_retail_value": "$8,500-$12,000" }
}

Who It's For

E-commerce platforms selling jewelry
Pawn shops needing quick verification
Insurance companies
Jewelry appraisers
Developers building marketplace apps

Try It

Free tier: 50 calls/month
https://rapidapi.com/sgroy10/api/gemlens

Would love feedback!