feat: #179 Codity.ai integration — CodityAdapter, codity-ai-review skill, ARCH §39, REQ-354/355/356/357, TEST-354/355/356/357

- src/specsmith/integrations/codity.py: CodityAdapter generates CI workflow
  for GitHub (default), GitLab, Azure DevOps; writes docs/codity-setup.md;
  appends LEDGER.md TODO checklist; VCS detected from scaffold.yml + heuristics
- src/specsmith/integrations/__init__.py: register CodityAdapter as 'codity'
- src/specsmith/skills/governance.py: codity-ai-review governance skill (70th skill)
- src/specsmith/templates/agents.md.j2: Codity pre-commit rule section
- docs/ARCHITECTURE.md §39: CodityAdapter architecture + I15 invariant
- docs/requirements/overflow.yml: REQ-354/355/356 (Codity integration)
- docs/tests/overflow.yml: TEST-354/355/356/357 (adapter, VCS detection, skill, template)
- docs/site/skills-index.md: Governance (10→11), 69→70 built-in skills
- docs/site/commands.md: specsmith integrate section with codity adapter docs
- README.md: Codity.ai AI Code Review Integration section; overflow.yml range 353→356
- tests/test_integrations_codity.py: 40 tests, all green (831 total, 28/28 audit)

Co-Authored-By: Oz <oz-agent@warp.dev>

Author: tbitcs

.specsmith/requirements.json

@@ -3111,5 +3111,36 @@
     "test_ids": [
       "TEST-353"
     ]
+  },
+  {
+    "id": "REQ-354",
+    "title": "CodityAdapter Scaffolds AI Code Review CI Workflow",
+    "description": "specsmith MUST provide a CodityAdapter registered as 'codity' in the integrations registry. CodityAdapter.generate() MUST detect the VCS host from scaffold.yml content ('gitlab' keyword → gitlab, 'azure' keyword → azure, else github) and from directory heuristics (.gitlab-ci.yml → gitlab, azure-pipelines.yml → azure). For github it MUST write .github/workflows/codity-review.yml; for gitlab it MUST write .gitlab-ci-codity.yml; for azure it MUST write .azure-pipelines/codity-review.yml. All variants MUST install the Codity CLI via the official install script, run 'codity review --staged', and require CODITY_ACCESS_TOKEN. GitLab and Azure variants MUST additionally call 'codity config set-pat --provider <vcs>'. generate() MUST also write docs/codity-setup.md (one-time setup checklist) and append a TODO checklist to LEDGER.md if it exists. The adapter MUST be discoverable via specsmith integrate codity.",
+    "source": "ARCHITECTURE.md §39",
+    "status": "implemented",
+    "test_ids": [
+      "TEST-354",
+      "TEST-355"
+    ]
+  },
+  {
+    "id": "REQ-355",
+    "title": "AGENTS.md Template Includes Codity.ai Pre-commit Rule",
+    "description": "The AGENTS.md Jinja2 template (agents.md.j2) MUST include a 'Codity.ai Code Review' section that instructs agents: if 'codity doctor' exits 0 (Codity is configured), run 'codity review --staged' before any commit touching production code; HIGH-severity findings are blocking; MEDIUM-severity findings require inline acknowledgement in the commit message; setup is via 'specsmith integrate codity --project-dir .'.",
+    "source": "ARCHITECTURE.md §39",
+    "status": "implemented",
+    "test_ids": [
+      "TEST-357"
+    ]
+  },
+  {
+    "id": "REQ-356",
+    "title": "codity-ai-review Governance Skill in Skills Catalog",
+    "description": "specsmith MUST include a 'codity-ai-review' SkillEntry in the governance domain skills catalog. The skill MUST document: Codity CLI install command (curl install script), codity login (magic-link browser auth), codity init (per-repo initialisation), daily commands (review --staged, scan --staged, test-gen --staged, doctor), the AGENTS.md blocking rule (HIGH severity = commit blocked, MEDIUM = acknowledgement required), CI integration via specsmith integrate codity, GitHub App setup, GitLab PAT setup (codity config set-pat --provider gitlab), and Azure DevOps PAT setup. The skill MUST be tagged with codity, ai-review, code-review, security, test-gen, ci, github, gitlab, azure, staged, pre-commit and discoverable via specsmith skill list.",
+    "source": "ARCHITECTURE.md §39",
+    "status": "implemented",
+    "test_ids": [
+      "TEST-356"
+    ]
   }
 ]

.specsmith/testcases.json

@@ -3452,5 +3452,49 @@
     "input": "list_tools_for_type for each new type; check _TYPE_LABELS",
     "expected_behavior": "Each type has correct build tool; all five types in _TYPE_LABELS",
     "confidence": 0.95
+  },
+  {
+    "id": "TEST-354",
+    "title": "CodityAdapter Generates GitHub Workflow by Default",
+    "description": "CodityAdapter().generate(config, tmp_path) on a directory with no VCS signals MUST create .github/workflows/codity-review.yml containing 'codity review --staged', 'curl -fsSL https://cli.codity.ai/install.sh | sh', 'CODITY_ACCESS_TOKEN', and 'actions/checkout@v4'. It MUST also create docs/codity-setup.md. When LEDGER.md exists, a TODO checklist entry MUST be appended containing 'codity login' and 'codity doctor'. CodityAdapter().name MUST equal 'codity'.",
+    "requirement_id": "REQ-354",
+    "type": "unit",
+    "verification_method": "pytest",
+    "input": "CodityAdapter().generate(mock_config, tmp_path); tmp_path has no scaffold.yml or VCS hint files",
+    "expected_behavior": ".github/workflows/codity-review.yml created; docs/codity-setup.md created; LEDGER.md appended; name == 'codity'",
+    "confidence": 0.95
+  },
+  {
+    "id": "TEST-355",
+    "title": "CodityAdapter Detects GitLab and Azure VCS from Scaffold or Directory",
+    "description": "When scaffold.yml contains 'gitlab' (case-insensitive), _detect_vcs() MUST return 'gitlab' and generate() MUST write .gitlab-ci-codity.yml (not a GitHub workflow). When scaffold.yml contains 'azure', _detect_vcs() MUST return 'azure' and generate() MUST write .azure-pipelines/codity-review.yml. When .gitlab-ci.yml exists in the project root (no scaffold.yml), _detect_vcs() MUST return 'gitlab'. When azure-pipelines.yml exists, _detect_vcs() MUST return 'azure'. The GitLab workflow MUST contain 'codity config set-pat --provider gitlab'. The Azure workflow MUST contain 'codity config set-pat --provider azure'.",
+    "requirement_id": "REQ-354",
+    "type": "unit",
+    "verification_method": "pytest",
+    "input": "Scaffold.yml with gitlab/azure keyword; .gitlab-ci.yml present; azure-pipelines.yml present",
+    "expected_behavior": "Correct VCS detected; correct workflow file written; PAT setup command present",
+    "confidence": 0.95
+  },
+  {
+    "id": "TEST-356",
+    "title": "codity-ai-review Skill Is in Governance Skills Catalog",
+    "description": "specsmith.skills.governance.SKILLS MUST contain a SkillEntry with slug='codity-ai-review'. Its body MUST contain 'codity review --staged', 'codity login', 'codity init', 'codity scan --staged', 'codity test-gen --staged', 'codity doctor', 'specsmith integrate codity', 'HIGH severity', 'set-pat --provider gitlab', and 'set-pat --provider azure'. Its tags MUST include 'codity', 'ai-review', and 'pre-commit'. Its domain MUST be SkillDomain.GOVERNANCE.",
+    "requirement_id": "REQ-356",
+    "type": "unit",
+    "verification_method": "pytest",
+    "input": "from specsmith.skills.governance import SKILLS; find slug='codity-ai-review'",
+    "expected_behavior": "SkillEntry found; body and tags correct; domain GOVERNANCE",
+    "confidence": 0.95
+  },
+  {
+    "id": "TEST-357",
+    "title": "AGENTS.md Template Contains Codity.ai Pre-commit Rule",
+    "description": "The rendered agents.md.j2 template MUST contain a 'Codity.ai Code Review' section. The section MUST instruct agents to run 'codity review --staged' if codity doctor exits 0; MUST state that HIGH-severity findings block the commit; MUST mention MEDIUM-severity acknowledgement; MUST reference 'specsmith integrate codity'. The section MUST appear after the Session Governance Protocol section and before the project metadata footer.",
+    "requirement_id": "REQ-355",
+    "type": "unit",
+    "verification_method": "pytest",
+    "input": "Read src/specsmith/templates/agents.md.j2 directly; render via Jinja2 with minimal context",
+    "expected_behavior": "Template contains Codity section with review --staged, HIGH severity, MEDIUM, integrate codity",
+    "confidence": 0.95
   }
 ]

README.md

@@ -202,7 +202,7 @@ be overwritten by the next sync.
 | `docs/requirements/yaml_governance.yml` | REQ-300..312 | YAML governance layer |
 | `docs/requirements/multiagent_compliance.yml` | REQ-313..320 | Multi-agent governance traceability |
 | `docs/requirements/dispatch.yml` | REQ-321..334 | Multi-agent DAG dispatcher |
-| `docs/requirements/overflow.yml` | REQ-335..353 | VCS ops, skills catalog, ESDB namespace, session governance, modern web types |
+| `docs/requirements/overflow.yml` | REQ-335..356 | VCS ops, skills catalog, ESDB namespace, session governance, modern web types, Codity.ai integration |
 
 **Migration from Markdown-primary:**
 `scripts/migrate_governance_to_yaml.py` once to convert an existing project.
@@ -863,6 +863,25 @@ production LLM systems:
 
 ---
 
+## Codity.ai AI Code Review Integration
+
+specsmith can scaffold [Codity.ai](https://codity.ai) AI code review into any project:
+
+```bash
+specsmith integrate codity --project-dir ./my-project
+```
+
+This generates:
+- `.github/workflows/codity-review.yml` (GitHub Actions) or `.gitlab-ci-codity.yml` / `.azure-pipelines/codity-review.yml` depending on your VCS
+- `docs/codity-setup.md` — one-time setup checklist
+- Appends a TODO checklist to `LEDGER.md`
+
+**AGENTS.md rule (REQ-355):** Projects with Codity configured SHOULD run `codity review --staged` before any commit touching production code. HIGH-severity findings are blocking; MEDIUM findings require inline acknowledgement.
+
+See the `codity-ai-review` governance skill (`specsmith skill install codity-ai-review`) for the full CLI workflow reference.
+
+---
+
 ## The specsmith Bootstrap
 
 specsmith governs itself — the specsmith repo is a specsmith-managed project. Run `specsmith audit`

docs/ARCHITECTURE.md

@@ -883,3 +883,24 @@ Hard-resets the working tree to `origin/<branch>` via `git fetch` + `git reset -
 Same as `--discard` plus `git clean -fd` to remove all untracked files. Equivalent to a full workspace reset to remote state.
 
 **Architecture invariant (I14):** `--force` and `--discard` flags MUST be used only when explicitly requested. They bypass safety guards intentionally designed to prevent accidental data loss. Agents MUST NOT invoke these flags without explicit user confirmation.
+
+## 39. Codity.ai Integration — AI Code Review Adapter
+Source: `src/specsmith/integrations/codity.py`; `src/specsmith/skills/governance.py` (`codity-ai-review`)
+
+`CodityAdapter` (REQ-354) scaffolds Codity.ai AI-code-review CI workflows into target projects via `specsmith integrate codity`. It detects the VCS host from `scaffold.yml` content and directory heuristics (`.gitlab-ci.yml`, `azure-pipelines.yml`) and generates the appropriate CI file:
+
+| VCS host | Generated file |
+|---|---|
+| GitHub (default) | `.github/workflows/codity-review.yml` |
+| GitLab | `.gitlab-ci-codity.yml` |
+| Azure DevOps | `.azure-pipelines/codity-review.yml` |
+
+All variants: install Codity CLI via `curl -fsSL https://cli.codity.ai/install.sh | sh`, run `codity review --staged`, require `CODITY_ACCESS_TOKEN` secret. GitLab/Azure additionally call `codity config set-pat --provider <vcs>` with a PAT.
+
+`generate()` also writes `docs/codity-setup.md` (one-time setup checklist) and appends a TODO checklist to `LEDGER.md`.
+
+The **`codity-ai-review`** governance skill (REQ-356) documents the full Codity.ai CLI workflow for agents: install, `codity login` (magic-link auth), `codity init`, daily commands (`review --staged`, `scan --staged`, `test-gen --staged`, `doctor`), VCS-specific PAT setup, and the AGENTS.md rule.
+
+The **AGENTS.md template** (REQ-355) includes a conditional Codity section: projects with Codity configured SHOULD run `codity review --staged` before commits touching production code; HIGH-severity findings block the commit; MEDIUM findings require inline acknowledgement.
+
+**Architecture invariant (I15):** The VCS-detection heuristic MUST default to `"github"` when no signals are present (scaffold.yml absent, no `.gitlab-ci.yml`, no `azure-pipelines.yml`). New VCS hosts require a new detection heuristic AND a corresponding workflow writer method.

docs/REQUIREMENTS.md

@@ -2490,3 +2490,27 @@
 - **Source:** ARCHITECTURE.md §Implemented Specsmith System
 - **Test_Ids:** ['TEST-353']
 
+## REQ-354. CodityAdapter Scaffolds AI Code Review CI Workflow
+- **ID:** REQ-354
+- **Title:** CodityAdapter Scaffolds AI Code Review CI Workflow
+- **Description:** specsmith MUST provide a CodityAdapter registered as 'codity' in the integrations registry. CodityAdapter.generate() MUST detect the VCS host from scaffold.yml content ('gitlab' keyword → gitlab, 'azure' keyword → azure, else github) and from directory heuristics (.gitlab-ci.yml → gitlab, azure-pipelines.yml → azure). For github it MUST write .github/workflows/codity-review.yml; for gitlab it MUST write .gitlab-ci-codity.yml; for azure it MUST write .azure-pipelines/codity-review.yml. All variants MUST install the Codity CLI via the official install script, run 'codity review --staged', and require CODITY_ACCESS_TOKEN. GitLab and Azure variants MUST additionally call 'codity config set-pat --provider <vcs>'. generate() MUST also write docs/codity-setup.md (one-time setup checklist) and append a TODO checklist to LEDGER.md if it exists. The adapter MUST be discoverable via specsmith integrate codity.
+- **Status:** implemented
+- **Source:** ARCHITECTURE.md §39
+- **Test_Ids:** ['TEST-354', 'TEST-355']
+
+## REQ-355. AGENTS.md Template Includes Codity.ai Pre-commit Rule
+- **ID:** REQ-355
+- **Title:** AGENTS.md Template Includes Codity.ai Pre-commit Rule
+- **Description:** The AGENTS.md Jinja2 template (agents.md.j2) MUST include a 'Codity.ai Code Review' section that instructs agents: if 'codity doctor' exits 0 (Codity is configured), run 'codity review --staged' before any commit touching production code; HIGH-severity findings are blocking; MEDIUM-severity findings require inline acknowledgement in the commit message; setup is via 'specsmith integrate codity --project-dir .'.
+- **Status:** implemented
+- **Source:** ARCHITECTURE.md §39
+- **Test_Ids:** ['TEST-357']
+
+## REQ-356. codity-ai-review Governance Skill in Skills Catalog
+- **ID:** REQ-356
+- **Title:** codity-ai-review Governance Skill in Skills Catalog
+- **Description:** specsmith MUST include a 'codity-ai-review' SkillEntry in the governance domain skills catalog. The skill MUST document: Codity CLI install command (curl install script), codity login (magic-link browser auth), codity init (per-repo initialisation), daily commands (review --staged, scan --staged, test-gen --staged, doctor), the AGENTS.md blocking rule (HIGH severity = commit blocked, MEDIUM = acknowledgement required), CI integration via specsmith integrate codity, GitHub App setup, GitLab PAT setup (codity config set-pat --provider gitlab), and Azure DevOps PAT setup. The skill MUST be tagged with codity, ai-review, code-review, security, test-gen, ci, github, gitlab, azure, staged, pre-commit and discoverable via specsmith skill list.
+- **Status:** implemented
+- **Source:** ARCHITECTURE.md §39
+- **Test_Ids:** ['TEST-356']
+

docs/TESTS.md

@@ -2935,3 +2935,47 @@
 - **Expected Behavior:** Each type has correct build tool; all five types in _TYPE_LABELS
 - **Confidence:** 0.95
 
+## TEST-354. CodityAdapter Generates GitHub Workflow by Default
+- **ID:** TEST-354
+- **Title:** CodityAdapter Generates GitHub Workflow by Default
+- **Description:** CodityAdapter().generate(config, tmp_path) on a directory with no VCS signals MUST create .github/workflows/codity-review.yml containing 'codity review --staged', 'curl -fsSL https://cli.codity.ai/install.sh | sh', 'CODITY_ACCESS_TOKEN', and 'actions/checkout@v4'. It MUST also create docs/codity-setup.md. When LEDGER.md exists, a TODO checklist entry MUST be appended containing 'codity login' and 'codity doctor'. CodityAdapter().name MUST equal 'codity'.
+- **Requirement ID:** REQ-354
+- **Type:** unit
+- **Verification Method:** pytest
+- **Input:** CodityAdapter().generate(mock_config, tmp_path); tmp_path has no scaffold.yml or VCS hint files
+- **Expected Behavior:** .github/workflows/codity-review.yml created; docs/codity-setup.md created; LEDGER.md appended; name == 'codity'
+- **Confidence:** 0.95
+
+## TEST-355. CodityAdapter Detects GitLab and Azure VCS from Scaffold or Directory
+- **ID:** TEST-355
+- **Title:** CodityAdapter Detects GitLab and Azure VCS from Scaffold or Directory
+- **Description:** When scaffold.yml contains 'gitlab' (case-insensitive), _detect_vcs() MUST return 'gitlab' and generate() MUST write .gitlab-ci-codity.yml (not a GitHub workflow). When scaffold.yml contains 'azure', _detect_vcs() MUST return 'azure' and generate() MUST write .azure-pipelines/codity-review.yml. When .gitlab-ci.yml exists in the project root (no scaffold.yml), _detect_vcs() MUST return 'gitlab'. When azure-pipelines.yml exists, _detect_vcs() MUST return 'azure'. The GitLab workflow MUST contain 'codity config set-pat --provider gitlab'. The Azure workflow MUST contain 'codity config set-pat --provider azure'.
+- **Requirement ID:** REQ-354
+- **Type:** unit
+- **Verification Method:** pytest
+- **Input:** Scaffold.yml with gitlab/azure keyword; .gitlab-ci.yml present; azure-pipelines.yml present
+- **Expected Behavior:** Correct VCS detected; correct workflow file written; PAT setup command present
+- **Confidence:** 0.95
+
+## TEST-356. codity-ai-review Skill Is in Governance Skills Catalog
+- **ID:** TEST-356
+- **Title:** codity-ai-review Skill Is in Governance Skills Catalog
+- **Description:** specsmith.skills.governance.SKILLS MUST contain a SkillEntry with slug='codity-ai-review'. Its body MUST contain 'codity review --staged', 'codity login', 'codity init', 'codity scan --staged', 'codity test-gen --staged', 'codity doctor', 'specsmith integrate codity', 'HIGH severity', 'set-pat --provider gitlab', and 'set-pat --provider azure'. Its tags MUST include 'codity', 'ai-review', and 'pre-commit'. Its domain MUST be SkillDomain.GOVERNANCE.
+- **Requirement ID:** REQ-356
+- **Type:** unit
+- **Verification Method:** pytest
+- **Input:** from specsmith.skills.governance import SKILLS; find slug='codity-ai-review'
+- **Expected Behavior:** SkillEntry found; body and tags correct; domain GOVERNANCE
+- **Confidence:** 0.95
+
+## TEST-357. AGENTS.md Template Contains Codity.ai Pre-commit Rule
+- **ID:** TEST-357
+- **Title:** AGENTS.md Template Contains Codity.ai Pre-commit Rule
+- **Description:** The rendered agents.md.j2 template MUST contain a 'Codity.ai Code Review' section. The section MUST instruct agents to run 'codity review --staged' if codity doctor exits 0; MUST state that HIGH-severity findings block the commit; MUST mention MEDIUM-severity acknowledgement; MUST reference 'specsmith integrate codity'. The section MUST appear after the Session Governance Protocol section and before the project metadata footer.
+- **Requirement ID:** REQ-355
+- **Type:** unit
+- **Verification Method:** pytest
+- **Input:** Read src/specsmith/templates/agents.md.j2 directly; render via Jinja2 with minimal context
+- **Expected Behavior:** Template contains Codity section with review --staged, HIGH severity, MEDIUM, integrate codity
+- **Confidence:** 0.95
+