The proliferation of AI-assisted "vibe coding" enables rapid software development but introduces significant security risks, as Large Language Models (LLMs) prioritize functional correctness over security. We present Constitutional Spec-Driven Development, a methodology that embeds non-negotiable security principles into the specification layer, ensuring AI-generated code adheres to security requirements by construction rather than inspection. Our approach introduces a Constitution: a versioned, machine-readable document encoding security constraints derived from Common Weakness Enumeration (CWE)/MITRE Top 25 vulnerabilities and regulatory frameworks. We demonstrate the methodology through a banking microservices application, selected as a representative example domain due to its stringent regulatory and security requirements, implementing customer management, account operations, and transaction processing. The methodology itself is domain-agnostic. The implementation addresses 10 critical CWE vulnerabilities through constitutional constraints with full traceability from principles to code locations. Our case study shows that constitutional constraints reduce security defects by 73% compared to unconstrained AI generation while maintaining developer velocity. We contribute a formal framework for constitutional security, a complete development methodology, and empirical evidence that proactive security specification outperforms reactive security verification in AI-assisted development workflows.

翻译：AI辅助的"氛围编码"的普及使得软件开发速度加快，但也带来了重大的安全风险，因为大型语言模型（LLMs）优先考虑功能正确性而非安全性。我们提出了宪法式规范驱动开发，这是一种将不可协商的安全原则嵌入规范层的方法论，确保AI生成的代码通过构造而非检查来遵守安全要求。我们的方法引入了一部宪法：一个版本化、机器可读的文档，编码了源自通用缺陷枚举（CWE）/MITRE Top 25漏洞和监管框架的安全约束。我们通过一个银行微服务应用程序来演示该方法论，该领域因其严格的监管和安全要求而被选为代表性示例，实现了客户管理、账户操作和交易处理功能。该方法论本身是领域无关的。该实现通过宪法约束解决了10个关键的CWE漏洞，并具备从原则到代码位置的全链路可追溯性。我们的案例研究表明，与无约束的AI生成相比，宪法约束将安全缺陷减少了73%，同时保持了开发速度。我们贡献了一个用于宪法安全的形式化框架、一套完整的开发方法论，以及经验证据，表明在AI辅助开发工作流中，主动的安全规范制定优于被动的安全验证。