@polylogicai/polycode 1.1.0

package/lib/witness/conservativity.mjs

@@ -0,0 +1,90 @@
+// lib/witness/conservativity.mjs
+// Conservativity primitive. Ported from ~/polybrain-kernel/src/witness/conservativity.mjs.
+// Pure recall-based token overlap + numeric tolerance. No LLM.
+// Returns {verdict: 'PASS' | 'FAIL' | 'PENDING', detail: string}.
+//
+// Recall = |claim tokens that appear in substrate| / |claim tokens|.
+// The recall discipline is "does the substrate support every meaningful token
+// in the claim." Numeric claims are matched within a relative tolerance.
+
+const RECALL_MIN_DEFAULT = 0.6;
+const NUMERIC_TOLERANCE_DEFAULT = 0.02;
+
+const STOPWORDS = new Set([
+  'the','a','an','of','in','on','at','to','for','with','by','is','are','was','were','be','been','being',
+  'and','or','but','if','then','this','that','these','those','it','as','from','into','over','under','than',
+  'so','such','not','no','yes','also','can','will','would','could','should','may','might','do','does','did',
+  'has','have','had','i','you','he','she','we','they','them','his','her','their','our','my','your',
+  'about','here','there','now','been','being','any','all','some','one','two','three','four','five',
+]);
+
+function tokenize(s) {
+  return (s || '')
+    .toLowerCase()
+    .replace(/[^a-z0-9.\- ]+/g, ' ')
+    .split(/\s+/)
+    .filter((t) => t && t.length > 2 && !STOPWORDS.has(t));
+}
+
+function extractNumerics(s) {
+  const re = /-?\d{1,3}(?:,\d{3})+(?:\.\d+)?|-?\d+\.?\d*(?:[eE][-+]?\d+)?|-?\.\d+/g;
+  const out = [];
+  for (const m of (s || '').matchAll(re)) {
+    const raw = m[0].replace(/,/g, '');
+    const n = Number(raw);
+    if (!Number.isNaN(n)) out.push(n);
+  }
+  return out;
+}
+
+function recall(claimTokens, substrateTokens) {
+  const claimSet = new Set(claimTokens);
+  if (claimSet.size === 0) return 0;
+  const substrateSet = new Set(substrateTokens);
+  let present = 0;
+  for (const t of claimSet) if (substrateSet.has(t)) present++;
+  return present / claimSet.size;
+}
+
+function numericMatch(claimNums, substrateNums, tolerance) {
+  if (claimNums.length === 0) return true;
+  for (const c of claimNums) {
+    let matched = false;
+    for (const s of substrateNums) {
+      if (Number.isInteger(c) && Number.isInteger(s) && c === s) { matched = true; break; }
+      const denom = Math.max(Math.abs(c), 1e-9);
+      if (Math.abs(c - s) / denom <= tolerance) { matched = true; break; }
+    }
+    if (!matched) return false;
+  }
+  return true;
+}
+
+export function conservativity({ claim, substrate }, opts = {}) {
+  const text = claim || '';
+  const sub = substrate || '';
+  const recallMin = opts.recall_min ?? RECALL_MIN_DEFAULT;
+  const tolerance = opts.numeric_tolerance ?? NUMERIC_TOLERANCE_DEFAULT;
+
+  if (!sub.trim()) return { verdict: 'PENDING', detail: 'empty substrate' };
+
+  const claimTokens = tokenize(text);
+  if (claimTokens.length === 0) return { verdict: 'PENDING', detail: 'no checkable tokens in claim' };
+
+  const substrateTokens = tokenize(sub);
+  const r = recall(claimTokens, substrateTokens);
+  const claimNums = extractNumerics(text);
+  const substrateNums = extractNumerics(sub);
+  const nums = numericMatch(claimNums, substrateNums, tolerance);
+
+  if (!nums) {
+    return { verdict: 'FAIL', detail: 'numeric mismatch (claim contains numbers not grounded in substrate)' };
+  }
+  if (r >= recallMin) {
+    return { verdict: 'PASS', detail: `recall ${r.toFixed(2)} >= ${recallMin}, numerics matched` };
+  }
+  // Low recall is a weak signal in polycode's interactive flow because the claim
+  // and substrate are at different granularities. PEND rather than FAIL so the
+  // commitment is not refuted on benign token distance.
+  return { verdict: 'PENDING', detail: `recall ${r.toFixed(2)} < ${recallMin}, numerics matched` };
+}

package/lib/witness/g-fidelity.mjs

@@ -0,0 +1,80 @@
+// lib/witness/g-fidelity.mjs
+// G_fidelity. The fifth witness primitive. Checks whether the generator's output
+// is grounded in the canon. Produces a scalar in [0, 1] plus a verdict.
+//
+// Method: extract content tokens from the claim, compute recall against the
+// substrate of the compiled packet plus recent canon rows within the active
+// intent. If recall is high, G_fidelity is high, and the composer upgrades
+// the commitment toward VERIFIED. If recall is low, G_fidelity is low, and
+// the composer downgrades the commitment toward PENDING or REFUTED.
+//
+// The multiplicative composition `I = V_witness × G_fidelity` lives in the
+// composer (lib/witness/index.mjs). This file only computes the scalar.
+
+const RECALL_STRONG = 0.8;
+const RECALL_WEAK = 0.5;
+
+const STOPWORDS = new Set([
+  'the','a','an','of','in','on','at','to','for','with','by','is','are','was','were','be','been','being',
+  'and','or','but','if','then','this','that','these','those','it','as','from','into','over','under','than',
+  'so','such','not','no','yes','also','can','will','would','could','should','may','might','do','does','did',
+  'has','have','had','i','you','he','she','we','they','them','his','her','their','our','my','your',
+  'about','here','there','now','any','all','some','one','two','three','four','five',
+]);
+
+function tokenize(s) {
+  return (s || '')
+    .toLowerCase()
+    .replace(/[^a-z0-9.\-_/ ]+/g, ' ')
+    .split(/\s+/)
+    .filter((t) => t && t.length > 2 && !STOPWORDS.has(t));
+}
+
+export function gFidelity({ claim, packet, canon, intentId }) {
+  if (!claim || typeof claim !== 'string') {
+    return { verdict: 'PENDING', detail: 'no claim to check', scalar: 0.5 };
+  }
+
+  const claimTokens = tokenize(claim);
+  if (claimTokens.length === 0) {
+    return { verdict: 'PENDING', detail: 'no checkable tokens in claim', scalar: 0.5 };
+  }
+
+  const substrateParts = [];
+  if (packet && typeof packet === 'string') substrateParts.push(packet);
+  if (canon && intentId) {
+    const rows = canon.queryByIntent(intentId, 30);
+    for (const r of rows) {
+      if (r.type === 'witnessed_commitment' && r.payload) {
+        substrateParts.push(String(r.payload.claim || ''));
+        substrateParts.push(String(r.payload.tool_result_snippet || ''));
+      } else if (r.type === 'user_turn' && r.payload) {
+        substrateParts.push(String(r.payload.message || ''));
+      } else if (r.type === 'user_intent' && r.payload) {
+        substrateParts.push(String(r.payload.text || ''));
+      }
+    }
+  }
+  const substrate = substrateParts.join(' ');
+
+  if (!substrate.trim()) {
+    return { verdict: 'PENDING', detail: 'no substrate available', scalar: 0.5 };
+  }
+
+  const substrateTokens = new Set(tokenize(substrate));
+  let present = 0;
+  const claimSet = new Set(claimTokens);
+  for (const t of claimSet) if (substrateTokens.has(t)) present++;
+  const scalar = present / claimSet.size;
+
+  // v1.1 policy: g_fidelity never FAILs on token overlap alone, because interactive
+  // agent messages frequently contain meta-phrasing ("let me write the file",
+  // "I'll check the path") that has low overlap with any concrete substrate. A
+  // FAIL here would over-refute legitimate commitments. We emit PASS above the
+  // strong threshold and PENDING otherwise, reserving FAIL for future v1.2
+  // typed-claim-graph checks (where claim triples can be structurally refuted).
+  if (scalar >= RECALL_STRONG) {
+    return { verdict: 'PASS', detail: `g_fidelity ${scalar.toFixed(2)} >= ${RECALL_STRONG}`, scalar };
+  }
+  return { verdict: 'PENDING', detail: `g_fidelity ${scalar.toFixed(2)} < ${RECALL_STRONG}`, scalar };
+}

package/lib/witness/ground-truth.mjs

@@ -0,0 +1,56 @@
+// lib/witness/ground-truth.mjs
+// Structurally non-LLM ground-truth check. Returns {verdict, detail}.
+// For file-based tools, verify the file actually exists after the operation.
+// For bash, check the exit code. Pure async I/O, no model calls.
+
+import { access } from 'node:fs/promises';
+import { resolve } from 'node:path';
+
+export async function groundTruth({ toolName, toolArgs, toolResult, cwd }) {
+  if (!toolName) return { verdict: 'PENDING', detail: 'no tool call to ground-check' };
+
+  if (toolName === 'read_file') {
+    const path = toolArgs?.path;
+    if (!path) return { verdict: 'FAIL', detail: 'read_file called without path' };
+    if (typeof toolResult === 'string' && toolResult.startsWith('error:')) {
+      return { verdict: 'FAIL', detail: `read_file error: ${toolResult.slice(0, 80)}` };
+    }
+    try {
+      await access(resolve(cwd || process.cwd(), path));
+      return { verdict: 'PASS', detail: `file exists: ${path}` };
+    } catch {
+      return { verdict: 'FAIL', detail: `file not found: ${path}` };
+    }
+  }
+
+  if (toolName === 'write_file' || toolName === 'edit_file') {
+    const path = toolArgs?.path;
+    if (!path) return { verdict: 'FAIL', detail: `${toolName} called without path` };
+    if (typeof toolResult === 'string' && toolResult.startsWith('error:')) {
+      return { verdict: 'FAIL', detail: `${toolName} error: ${toolResult.slice(0, 80)}` };
+    }
+    try {
+      await access(resolve(cwd || process.cwd(), path));
+      return { verdict: 'PASS', detail: `wrote file exists: ${path}` };
+    } catch {
+      return { verdict: 'FAIL', detail: `${toolName} did not produce file: ${path}` };
+    }
+  }
+
+  if (toolName === 'bash') {
+    if (typeof toolResult === 'string' && toolResult.startsWith('exit=')) {
+      return { verdict: 'FAIL', detail: 'bash command exited non-zero' };
+    }
+    return { verdict: 'PASS', detail: 'bash returned output' };
+  }
+
+  if (toolName === 'glob' || toolName === 'grep') {
+    return { verdict: 'PASS', detail: `${toolName} returned result` };
+  }
+
+  if (toolName === 'task_done') {
+    return { verdict: 'PASS', detail: 'task_done summary accepted' };
+  }
+
+  return { verdict: 'PENDING', detail: `no ground-truth check for ${toolName}` };
+}

package/lib/witness/index.mjs

@@ -0,0 +1,70 @@
+// lib/witness/index.mjs
+// Verification layer. Every tool call and final message runs through a small
+// set of pure-Node checks before being recorded to the session log. The checks
+// are deterministic and have no network dependencies of their own. If any
+// check fails, the record is marked REFUTED and the agent is told to try a
+// different approach. If none fail, the record is marked VERIFIED.
+//
+// Checks in this release:
+//   conservativity  token overlap and numeric consistency vs the tool output
+//   ground_truth    file existence, URL resolution, tool exit code
+//   rule_compliance forbidden libraries, commands, and patterns
+//   g_fidelity      generator output grounding vs the compiled context
+
+import { conservativity } from './conservativity.mjs';
+import { groundTruth } from './ground-truth.mjs';
+import { ruleCompliance } from './rule-compliance.mjs';
+import { gFidelity } from './g-fidelity.mjs';
+
+export async function witness({
+  claim,
+  substrate,
+  toolName,
+  toolArgs,
+  toolResult,
+  cwd,
+  packet,
+  canon,
+  intentId,
+  rules,
+}) {
+  const primitives = {};
+
+  primitives.conservativity = conservativity({
+    claim,
+    substrate: substrate || (typeof toolResult === 'string' ? toolResult : ''),
+  });
+
+  primitives.ground_truth = await groundTruth({ toolName, toolArgs, toolResult, cwd });
+
+  primitives.rule_compliance = ruleCompliance({
+    claim,
+    toolName,
+    toolArgs,
+    toolResult,
+    rules,
+  });
+
+  primitives.g_fidelity = gFidelity({
+    claim,
+    packet,
+    canon,
+    intentId,
+  });
+
+  primitives.falsification = {
+    verdict: 'PENDING',
+    detail: 'v1.1 stub; Wikipedia full-text port arrives in v1.2',
+  };
+
+  const verdicts = Object.values(primitives).map((p) => p.verdict);
+  const hasFail = verdicts.some((v) => v === 'FAIL');
+  const hasPass = verdicts.some((v) => v === 'PASS');
+
+  let verdict;
+  if (hasFail) verdict = 'REFUTED';
+  else if (hasPass) verdict = 'VERIFIED';
+  else verdict = 'PENDING';
+
+  return { verdict, primitives };
+}

package/lib/witness/rule-compliance.mjs

@@ -0,0 +1,82 @@
+// lib/witness/rule-compliance.mjs
+// Rule compliance check. Non-LLM. Scans tool call arguments and agent claims
+// against an explicit rule set loaded from rules/default.yaml or a user-
+// supplied rules file. Returns PASS if nothing matches the forbidden lists,
+// FAIL on the first match, and the FAIL reason identifies which rule fired.
+// The agent is allowed to propose anything; this layer enforces the rules
+// before any commitment appends to the session log.
+
+const DEFAULT_FORBIDDEN_COMMANDS = [
+  'sudo rm',
+  'rm -rf /',
+  'rm -rf ~',
+  'rm -rf /*',
+  ':(){:|:&};:',
+  '> /dev/sda',
+  'dd if=/dev/zero',
+];
+
+function normalize(s) {
+  return String(s || '').toLowerCase();
+}
+
+function matchesLibraryImport(text, lib) {
+  const t = normalize(text);
+  const needles = [
+    `import ${lib}`,
+    `from ${lib}`,
+    `from ${lib} import`,
+    `require('${lib}')`,
+    `require("${lib}")`,
+    `import "${lib}"`,
+    `"${lib}":`,
+    `'${lib}':`,
+  ];
+  for (const n of needles) if (t.includes(n.toLowerCase())) return true;
+  return false;
+}
+
+export function ruleCompliance({ claim, toolName, toolArgs, toolResult, rules = {} }) {
+  const forbiddenLibs = Array.isArray(rules?.forbidden_libraries) ? rules.forbidden_libraries : [];
+  const forbiddenCmds = Array.isArray(rules?.forbidden_commands)
+    ? rules.forbidden_commands
+    : DEFAULT_FORBIDDEN_COMMANDS;
+  const forbiddenPatterns = Array.isArray(rules?.forbidden_patterns) ? rules.forbidden_patterns : [];
+
+  const candidateTexts = [
+    claim || '',
+    toolName === 'bash' ? String(toolArgs?.command || '') : '',
+    toolName === 'write_file' ? String(toolArgs?.content || '') : '',
+    toolName === 'edit_file' ? String(toolArgs?.new_string || '') : '',
+    typeof toolResult === 'string' ? toolResult : '',
+  ];
+  const combined = candidateTexts.join(' ');
+
+  for (const lib of forbiddenLibs) {
+    for (const t of candidateTexts) {
+      if (t && matchesLibraryImport(t, lib)) {
+        return { verdict: 'FAIL', detail: `forbidden library referenced: ${lib}` };
+      }
+    }
+  }
+
+  const combinedLower = normalize(combined);
+  for (const cmd of forbiddenCmds) {
+    if (combinedLower.includes(normalize(cmd))) {
+      return { verdict: 'FAIL', detail: `forbidden command referenced: ${cmd}` };
+    }
+  }
+
+  for (const pattern of forbiddenPatterns) {
+    try {
+      const re = new RegExp(pattern, 'i');
+      if (re.test(combined)) {
+        return { verdict: 'FAIL', detail: `forbidden pattern matched: ${pattern}` };
+      }
+    } catch {
+      // ignore invalid regex in the rules file
+    }
+  }
+
+  return { verdict: 'PASS', detail: 'no rule violations detected' };
+}

package/lib/witness/secret-scrubber.mjs

@@ -0,0 +1,51 @@
+// lib/witness/secret-scrubber.mjs
+// Secret scrubber. Runs on the bounded turn context before any network call
+// to the generator, and again on every tool result before it reaches the
+// terminal or the session log. If a known secret pattern is detected, the
+// scrubber redacts the matching bytes in place and records the match type.
+// When the context scrubber fires pre-dispatch, the turn is aborted and
+// recorded as secret_bleed_blocked with no network call made.
+//
+// Pattern set covers AWS, Anthropic, Groq, OpenAI, GitHub, Google API,
+// Slack, Stripe, JWTs, and PEM private-key blocks.
+
+const SECRET_PATTERNS = [
+  { name: 'AWS_ACCESS_KEY', regex: /AKIA[0-9A-Z]{16}/ },
+  { name: 'AWS_SECRET_KEY', regex: /aws_secret_access_key[^A-Za-z0-9]{0,5}[A-Za-z0-9/+=]{30,}/i },
+  { name: 'ANTHROPIC_API_KEY', regex: /sk-ant-api\d{2}-[A-Za-z0-9_\-]{80,}/ },
+  { name: 'GROQ_API_KEY', regex: /gsk_[A-Za-z0-9]{40,}/ },
+  { name: 'OPENAI_API_KEY', regex: /sk-[A-Za-z0-9]{40,}/ },
+  { name: 'OPENAI_PROJECT_KEY', regex: /sk-proj-[A-Za-z0-9_\-]{40,}/ },
+  { name: 'GITHUB_TOKEN', regex: /gh[pousr]_[A-Za-z0-9]{36,}/ },
+  { name: 'GOOGLE_API_KEY', regex: /AIza[0-9A-Za-z_\-]{35}/ },
+  { name: 'SLACK_TOKEN', regex: /xox[baprs]-[A-Za-z0-9\-]{10,}/ },
+  { name: 'STRIPE_KEY', regex: /sk_live_[A-Za-z0-9]{24,}/ },
+  { name: 'PRIVATE_KEY_BLOCK', regex: /-----BEGIN (RSA |EC |OPENSSH |DSA |)PRIVATE KEY-----/ },
+  { name: 'JWT', regex: /eyJ[A-Za-z0-9_\-]{20,}\.[A-Za-z0-9_\-]{20,}\.[A-Za-z0-9_\-]{20,}/ },
+];
+
+export function scrubSecrets(text) {
+  if (!text || typeof text !== 'string') {
+    return { findings: [], blocked: false, redacted: text || '' };
+  }
+
+  const findings = [];
+  let redacted = text;
+  for (const { name, regex } of SECRET_PATTERNS) {
+    const globalRegex = new RegExp(regex.source, 'g');
+    const matches = text.match(globalRegex);
+    if (matches && matches.length > 0) {
+      findings.push({ pattern: name, count: matches.length });
+      redacted = redacted.replace(globalRegex, `[REDACTED_${name}]`);
+    }
+  }
+
+  return {
+    findings,
+    blocked: findings.length > 0,
+    redacted,
+    reason: findings.length > 0 ? `secrets detected: ${findings.map((f) => f.pattern).join(', ')}` : null,
+  };
+}
+
+export { SECRET_PATTERNS };

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@polylogicai/polycode",
+  "version": "1.1.0",
+  "description": "An agentic coding CLI. Runs on your machine with your keys. Every turn is appended to a SHA-256 chained session log, so your history is auditable, replayable, and portable.",
+  "type": "module",
+  "main": "bin/polycode.mjs",
+  "bin": {
+    "polycode": "bin/polycode.mjs"
+  },
+  "files": [
+    "bin",
+    "lib",
+    "rules",
+    "LICENSE",
+    "README.md"
+  ],
+  "scripts": {
+    "start": "node bin/polycode.mjs",
+    "test": "node test/run-all.mjs"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "dependencies": {
+    "@anthropic-ai/sdk": "^0.89.0",
+    "dotenv": "^16.4.5",
+    "groq-sdk": "^0.15.0"
+  },
+  "keywords": [
+    "agent",
+    "cli",
+    "coding",
+    "polycode",
+    "polylogic",
+    "llm",
+    "groq",
+    "anthropic"
+  ],
+  "author": "Polylogic AI",
+  "license": "MIT",
+  "homepage": "https://polylogicai.com/polycode",
+  "publishConfig": {
+    "access": "public"
+  }
+}

package/rules/default.yaml

@@ -0,0 +1,58 @@
+# polycode default rules. Copy to ~/.polycode/rules.yaml to customize.
+# Rules are read on startup. Edit this file to change polycode's behavior
+# without touching the source code.
+
+voice:
+  no_em_dashes: true
+  no_hype_words: true
+
+witness:
+  conservativity_min_overlap: 0.6
+  conservativity_numeric_tolerance: 0.02
+  g_fidelity_strong: 0.8
+  g_fidelity_weak: 0.5
+
+context:
+  max_prior_turns: 4
+  max_prior_commits: 5
+
+trust_weights:
+  survived: 3
+  verified: 1
+  refuted: -2
+  challenged: -1
+  pending: -0.1
+
+compiler:
+  primary: claude-haiku-4-5-20251001
+  fallback: pure-node
+  target_packet_tokens: 4000
+  summary_row_limit: 400
+
+generator:
+  primary: moonshotai/kimi-k2-instruct
+  fallback: llama-3.3-70b-versatile
+
+forbidden_libraries:
+  - requests
+
+forbidden_commands:
+  - sudo rm
+  - rm -rf /
+  - rm -rf ~
+  - rm -rf /*
+  - dd if=/dev/zero
+  - /etc/passwd
+  - /etc/shadow
+  - /etc/sudoers
+  - /root/
+  - .ssh/
+  - id_rsa
+  - id_ed25519
+  - authorized_keys
+  - known_hosts
+
+forbidden_patterns:
+  - 'eval\s*\(\s*(input|request|stdin)'
+  - 'exec\s*\(\s*(input|request|stdin)'
+  - '\.\./\.\./'