feat: #179 Codity.ai AI code review integration — CodityAdapter, skill, ARCH §39, 70 skills#181
Conversation
…eaks CodeQL taint CodeQL's py/path-injection taint tracker re-tainted root through the Path.__truediv__ operator even when root came from os.path.realpath. Fix: pre-compute sub-paths as plain strings via os.path.join(str(root), 'const', 'const'). os.path.join of a sanitised left operand and constant right operands produces a value CodeQL unambiguously tracks as clean — no Path() taint re-introduction. Alerts 113-115 on main (lines 100/115/126) dismissed as false positives. No user-controlled data flows into any filename component at any point. Co-Authored-By: Oz <oz-agent@warp.dev>
…s through sync - Add src/specsmith/esdb/__init__.py and bridge.py — thin re-export of chronomemory.EsdbBridge under the specsmith.esdb namespace so CLI commands can import without pulling chronomemory at the top of cli.py - sync.py: pass-through platform/boundary/confidence fields from YAML source into the requirements machine-state JSON so generate_requirements_md and belief.py can render/parse epistemic metadata end-to-end Co-Authored-By: Oz <oz-agent@warp.dev>
…ule fixes chronomemory v0.1.1 (Phase 3: NDJSON WAL, PyO3 bindings, pyo3 security fix): - pyproject.toml: pin chronomemory dep to @v0.1.1 tag - specsmith.esdb.__init__: re-export full v0.1.1 API surface — Phase 2 types (DepGraph, DependencyEdge, RollbackReport, invalidate, ContextPack, ContextPackCompiler, ContextPackEntry), Phase 3 (RustChronoStore, RustRecord, RUST_BACKEND), plus query and metrics module references - specsmith.esdb.bridge: update to expose Phase 2/3 types and query/metrics - retrieval.py: replace store.query(rag_filter=True) with query.what_is_known(store) — critical rule §18: excludes infra record kinds (edge, rollback_event, token_metric, skill_run) from the RAG index - context_seed.py: replace store.query() with query.what_is_known(store) in _load_esdb_snippet() — ESDB records are injected into LLM context; infra records must never appear there (critical rule §23) Co-Authored-By: Oz <oz-agent@warp.dev>
chronomemory-esdb (governance domain):
Full v0.1.1 API reference + 5 critical rules as an installable skill.
Covers: imports, ChronoStore write/read, query.what_is_known, ContextPackCompiler,
DepGraph, epistemic rollback, 10 query function signatures, token metrics,
skills system, and RUST_BACKEND note. Activated by esdb/chronomemory/query tags.
github-actions-ci (devops domain):
Layer1Labs CI pattern: permissions:{} at workflow level, per-job contents:read,
all jobs parallel (no needs chain), Python 3.10-3.13 x ubuntu+windows matrix,
--cov-fail-under=85 gate, named jobs, fail-fast:false. Includes canonical template
and explicit 'What NOT to do' list. Rust project job templates included.
pyproject.toml: add E501 ignore for src/specsmith/skills/*.py (markdown body content)
Co-Authored-By: Oz <oz-agent@warp.dev>
specsmith save --force Propagates --force to the underlying run_push() call, bypassing the gitflow direct-to-main guard and any other push safety checks. Equivalent to: specsmith save --no-push && specsmith push --force. specsmith pull --discard Hard-resets to origin/<branch> then pulls, discarding all local changes. Equivalent to: git fetch && git reset --hard origin/<branch>. specsmith pull --clean Like --discard but also runs git clean -fd to remove untracked files. vcs_commands.py: add run_discard(root, *, clean=False) implementation. tests/fixtures/api_surface.json: regenerated after CLI surface change. Closes #178 Co-Authored-By: Oz <oz-agent@warp.dev>
- ruff format governance.py, devops.py, vcs_commands.py (CI was failing on format check — ruff check was run locally but not ruff format) - Add gh-ci-polling skill (governance domain): documents gh run watch as the correct primitive for waiting on CI; explicitly bans sleep-based waits; covers bash + PowerShell patterns, failure log tailing, run ID extraction, and the one acceptable polling loop with state checks Co-Authored-By: Oz <oz-agent@warp.dev>
…cs sync
Skills catalog (new):
- terminal-awareness (cross-platform): shell detection, PS5 vs PS7 diffs,
cmd.exe rules, bash/zsh/fish, Python/pwsh subprocess+PID tracking,
hanging-process prevention, cross-platform equivalents table, cleanup checklist
- REQ-341/TEST-341 through REQ-350/TEST-350 covering all above
Architecture (§36-38 added):
- §36: specsmith.esdb namespace — chronomemory v0.1.1 full re-export, I12
- §37: Skills catalog governance — terminal-awareness, chronomemory-esdb,
gh-ci-polling, github-actions-ci; I13
- §38: VCS force operations — save --force, pull --discard/--clean; I14
Governance sync:
- requirements.json: 298 → 308 entries
- testcases.json: 301 → 311 entries
- REQUIREMENTS.md + TESTS.md regenerated from YAML sources
- api_surface.json fixture updated
CI pattern (chronomemory match):
- permissions: {} at workflow level (deny-all)
- permissions: contents: read per job
- Named jobs (name: field)
- Removed concurrency cancel-in-progress block
- Python matrix 3.10/3.11/3.12/3.13 x ubuntu+windows
Co-Authored-By: Oz <oz-agent@warp.dev>
…cturally specsmith is a 50k-line toolkit with CLI drivers, HTTP servers, and LLM provider adapters that cannot be unit-tested to 85% without a full integration test harness. The chronomemory 85% gate is appropriate for a small, stdlib-only library — not for this codebase. Also update github-actions-ci skill to note the caveat: use --cov-fail-under only when the project can structurally sustain the threshold. Co-Authored-By: Oz <oz-agent@warp.dev>
…secution phases Patent prosecution project type (issue #177): - config.py: add PATENT_PROSECUTION = 'patent-prosecution' to ProjectType enum - config.py: add fallback_type field to ProjectConfig (allows older specsmith to degrade gracefully to spec-document while recording intended type) - config.py: add IP prosecution fields — ip_families, claim_themes, provisional_app_number, non_provisional_deadline, entity_status, assignee, counsel, inventors, specs_dir, prosecution_dir, strategy_dir, filings_dir - config.py: add PATENT_PROSECUTION to _TYPE_LABELS - phase.py: add 7-phase IP prosecution lifecycle as PROSECUTION_PHASES (provisional-draft → filing → prior-art-search → claim-hardening → non-provisional-draft → examination → allowance). Merged into PHASE_MAP so read_phase() correctly handles cpsc-core's aee_phase: claim-hardening - tools.py: add PATENT_PROSECUTION tool entry (vale, cspell, pandoc, claim-ref-check) Skills catalog (5 new): - github-health-check (devops): systematic CI/PR/CodeQL/Dependabot triage — ordered triage playbook, gh api commands for all alert types, full health snapshot one-liner - patent-prosecution-workflow (governance): prior-art protocol, MCP server selection matrix, PPUBS→PatentsView fallback, PAR ID format, claim theme tracking, ledger entry format, prosecution phases table, roles, invariants - github-actions-ci, gh-ci-polling, terminal-awareness (already committed) Docs: - skills-index.md: 62→67 skills, updated Governance (10) and DevOps (6) and Cross-Platform (3) - api_surface.json fixture regenerated Architecture decision: - CI/CD health → SKILL (github-health-check): agents need knowledge of triage order, not new CLI commands - Patent prosecution → BOTH code (type registration, phases) AND skill (protocol knowledge) Closes #177 Co-Authored-By: Oz <oz-agent@warp.dev>
Ruff W605 auto-fixed: backslash escape sequences in the github-health-check skill body (jq expressions with \(, \.) that Python interpreted as invalid escape sequences. Same pattern as the cross_platform.py fix earlier. Co-Authored-By: Oz <oz-agent@warp.dev>
…eb types, docs M006 migration — auto-inject Session Governance Protocol into AGENTS.md: - Detects 4 sentinel strings; no-op when already present (idempotent) - Injects heartbeat + preflight gate + drift detection + checkpoint-in-summary section AFTER Session Bootstrap, BEFORE next ## heading - Backs up AGENTS.md to .specsmith/agents.md.m006.bak before patching - Runs automatically via specsmith migrate-project and specsmith upgrade --full - Registered as version=6 in MigrationRegistry specsmith checkpoint command (REQ-351): - Best-effort: phase, audit health, REQ/TEST counts, ESDB chain, recent WIs, last preflight — never fails even on projects with no ESDB or LEDGER - --json: structured payload for machine consumers - Human output: bordered GOVERNANCE ANCHOR block with footer instruction Modern web framework project types (REQ-353): - config.py: NEXTJS_APP, NUXT_APP, SVELTEKIT_APP, REMIX_APP, ASTRO_SITE - tools.py: full ToolSet for each (eslint, tsc, vitest/jest, playwright, npm audit) - _TYPE_LABELS: human-readable labels for all 5 types AGENTS.md template: - Session Governance Protocol section added to agents.md.j2 so all newly scaffolded/upgraded projects get the checkpoint + preflight + heartbeat rules specsmith-session-governance skill (governance domain): - Full session protocol as an installable skill - Explains why agents drift, the three mandatory rules, drift self-check Governance: - REQ-351/352/353 + TEST-351/352/353 added and synced (308->311 reqs, 311->314 tests) - REQUIREMENTS.md + TESTS.md regenerated - api_surface.json fixture updated GitHub issues filed for later: - #179: Codity.ai — skill + CLI adapter + AGENTS rule (tri-layer) - #180: Chumlab UI — skill-only initially (stealth, npm not yet public) Co-Authored-By: Oz <oz-agent@warp.dev>
… update README + pull flags - skills-index.md: header 67->69 (actual catalog count is 69) - skills-index.md: add specsmith-session-governance row to Governance(10) table - skills-index.md: remove duplicate rows introduced by earlier edit - commands.md: add specsmith checkpoint section (REQ-351) - commands.md: update pull command with --discard/--clean flags (REQ-347/348) - README.md: add overflow.yml row to domain table (REQ-335..353) Co-Authored-By: Oz <oz-agent@warp.dev>
…ill, ARCH §39, REQ-354/355/356/357, TEST-354/355/356/357 - src/specsmith/integrations/codity.py: CodityAdapter generates CI workflow for GitHub (default), GitLab, Azure DevOps; writes docs/codity-setup.md; appends LEDGER.md TODO checklist; VCS detected from scaffold.yml + heuristics - src/specsmith/integrations/__init__.py: register CodityAdapter as 'codity' - src/specsmith/skills/governance.py: codity-ai-review governance skill (70th skill) - src/specsmith/templates/agents.md.j2: Codity pre-commit rule section - docs/ARCHITECTURE.md §39: CodityAdapter architecture + I15 invariant - docs/requirements/overflow.yml: REQ-354/355/356 (Codity integration) - docs/tests/overflow.yml: TEST-354/355/356/357 (adapter, VCS detection, skill, template) - docs/site/skills-index.md: Governance (10→11), 69→70 built-in skills - docs/site/commands.md: specsmith integrate section with codity adapter docs - README.md: Codity.ai AI Code Review Integration section; overflow.yml range 353→356 - tests/test_integrations_codity.py: 40 tests, all green (831 total, 28/28 audit) Co-Authored-By: Oz <oz-agent@warp.dev>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| _reqs_json_path = os.path.join(_root_str, ".specsmith", "requirements.json") | ||
| _tc_json_path = os.path.join(_root_str, ".specsmith", "testcases.json") | ||
|
|
||
| if explicit_req_ids and os.path.isfile(_reqs_json_path): |
|
|
||
| if explicit_req_ids and os.path.isfile(_reqs_json_path): | ||
| try: | ||
| rq_records = _json.loads(Path(_reqs_json_path).read_text(encoding="utf-8")) |
| and rec["id"] not in test_case_ids | ||
| ): | ||
| test_case_ids.append(rec["id"]) | ||
| if explicit_test_ids and os.path.isfile(_tc_json_path): |
| test_case_ids.append(rec["id"]) | ||
| if explicit_test_ids and os.path.isfile(_tc_json_path): | ||
| try: | ||
| tc_explicit = _json.loads(Path(_tc_json_path).read_text(encoding="utf-8")) |
| for eid in explicit_test_ids: | ||
| if eid in known_tc_ids: | ||
| test_case_ids.append(eid) | ||
| if requirement_ids and os.path.isfile(_tc_json_path): |
| test_case_ids.append(eid) | ||
| if requirement_ids and os.path.isfile(_tc_json_path): | ||
| try: | ||
| records = _json.loads(Path(_tc_json_path).read_text(encoding="utf-8")) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #179
Implements full Codity.ai AI code review integration for specsmith.
What's new
CI status: develop
Co-Authored-By: Oz oz-agent@warp.dev