wydcode 0.4.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +100 -0
- package/NOTICE +5 -0
- package/README.md +434 -0
- package/SECURITY.md +64 -0
- package/SOCRA_SOURCE.md +36 -0
- package/TRADEMARKS.md +12 -0
- package/bin/wydcode.js +74 -0
- package/examples/behavior-preference-card.json +12 -0
- package/examples/exact-recurrence-card.json +11 -0
- package/examples/heldout-gene-evidence.json +6 -0
- package/examples/humaneval-ornith.md +29 -0
- package/examples/large_context_json_diagnostic.py +187 -0
- package/fixtures/failing-node-repo/package.json +9 -0
- package/fixtures/failing-node-repo/src/math.js +3 -0
- package/fixtures/failing-node-repo/test/math.test.js +8 -0
- package/package.json +55 -0
- package/pyproject.toml +24 -0
- package/socra_harness/__init__.py +3 -0
- package/socra_harness/attempts.py +76 -0
- package/socra_harness/central_traces.py +627 -0
- package/socra_harness/cli.py +265 -0
- package/socra_harness/eval/__init__.py +1 -0
- package/socra_harness/eval/humaneval.py +388 -0
- package/socra_harness/events.py +39 -0
- package/socra_harness/init.py +206 -0
- package/socra_harness/job/__init__.py +2 -0
- package/socra_harness/job/events.py +132 -0
- package/socra_harness/job/lock.py +90 -0
- package/socra_harness/job/manager.py +3785 -0
- package/socra_harness/job/planner.py +253 -0
- package/socra_harness/job/state.py +106 -0
- package/socra_harness/mumpix_trace_bridge.cjs +32 -0
- package/socra_harness/product.py +533 -0
- package/socra_harness/recurrence.py +263 -0
- package/socra_harness/scan/__init__.py +1 -0
- package/socra_harness/scan/repo.py +85 -0
- package/socra_harness/serve/__init__.py +1 -0
- package/socra_harness/serve/local_proxy.py +293 -0
- package/socra_harness/start.py +331 -0
- package/socra_harness/tui/__init__.py +1 -0
- package/socra_harness/tui/app.py +1114 -0
package/LICENSE
ADDED
|
@@ -0,0 +1,100 @@
|
|
|
1
|
+
Business Source License 1.1
|
|
2
|
+
|
|
3
|
+
Parameters
|
|
4
|
+
|
|
5
|
+
Licensor: MumpixDB
|
|
6
|
+
|
|
7
|
+
Licensed Work: wydcode and Socra Harness source code, compiled binaries,
|
|
8
|
+
build tooling, and documentation distributed in this
|
|
9
|
+
repository.
|
|
10
|
+
|
|
11
|
+
Additional Use Grant: You may make production use of the Licensed Work, provided
|
|
12
|
+
Your use does not include offering the Licensed Work to
|
|
13
|
+
third parties as a commercial hosted service.
|
|
14
|
+
|
|
15
|
+
Change Date: 2030-07-09
|
|
16
|
+
|
|
17
|
+
Change License: Apache License, Version 2.0
|
|
18
|
+
|
|
19
|
+
For alternative licensing arrangements, contact MumpixDB.
|
|
20
|
+
|
|
21
|
+
Business Source License 1.1
|
|
22
|
+
|
|
23
|
+
License text copyright (c) 2024 MariaDB plc, All Rights Reserved.
|
|
24
|
+
"Business Source License" is a trademark of MariaDB plc.
|
|
25
|
+
|
|
26
|
+
Terms
|
|
27
|
+
|
|
28
|
+
The Licensor hereby grants you the right to copy, modify, create derivative
|
|
29
|
+
works, redistribute, and make non-production use of the Licensed Work. The
|
|
30
|
+
Licensor may make an Additional Use Grant, above, permitting limited production
|
|
31
|
+
use.
|
|
32
|
+
|
|
33
|
+
Effective on the Change Date, or the fourth anniversary of the first publicly
|
|
34
|
+
available distribution of a specific version of the Licensed Work under this
|
|
35
|
+
License, whichever comes first, the Licensor hereby grants you rights under the
|
|
36
|
+
terms of the Change License, and the rights granted in the paragraph above
|
|
37
|
+
terminate.
|
|
38
|
+
|
|
39
|
+
If your use of the Licensed Work does not comply with the requirements currently
|
|
40
|
+
in effect as described in this License, you must purchase a commercial license
|
|
41
|
+
from the Licensor, its affiliated entities, or authorized resellers, or you must
|
|
42
|
+
refrain from using the Licensed Work.
|
|
43
|
+
|
|
44
|
+
All copies of the original and modified Licensed Work, and derivative works of
|
|
45
|
+
the Licensed Work, are subject to this License. This License applies separately
|
|
46
|
+
for each version of the Licensed Work and the Change Date may vary for each
|
|
47
|
+
version of the Licensed Work released by Licensor.
|
|
48
|
+
|
|
49
|
+
You must conspicuously display this License on each original or modified copy of
|
|
50
|
+
the Licensed Work. If you receive the Licensed Work in original or modified form
|
|
51
|
+
from a third party, the terms and conditions set forth in this License apply to
|
|
52
|
+
your use of that work.
|
|
53
|
+
|
|
54
|
+
Any use of the Licensed Work in violation of this License will automatically
|
|
55
|
+
terminate your rights under this License for the current and all other versions
|
|
56
|
+
of the Licensed Work.
|
|
57
|
+
|
|
58
|
+
This License does not grant you any right in any trademark or logo of Licensor
|
|
59
|
+
or its affiliates (provided that you may use a trademark or logo of Licensor as
|
|
60
|
+
expressly required by this License).
|
|
61
|
+
|
|
62
|
+
TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON AN
|
|
63
|
+
"AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
|
|
64
|
+
EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
|
|
65
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND TITLE.
|
|
66
|
+
|
|
67
|
+
MariaDB hereby grants you permission to use this License's text to license your
|
|
68
|
+
works, and to refer to it using the trademark "Business Source License", as long
|
|
69
|
+
as you comply with the Covenants of Licensor below.
|
|
70
|
+
|
|
71
|
+
Covenants of Licensor
|
|
72
|
+
|
|
73
|
+
In consideration of the right to use this License's text and the "Business Source
|
|
74
|
+
License" name and trademark, Licensor covenants to MariaDB, and to all other
|
|
75
|
+
recipients of the licensed work to be provided by Licensor:
|
|
76
|
+
|
|
77
|
+
1. To specify as the Change License the GPL Version 2.0 or any later version,
|
|
78
|
+
or a license that is compatible with GPL Version 2.0 or a later version,
|
|
79
|
+
where "compatible" means that software provided under the Change License can
|
|
80
|
+
be included in a program with software provided under GPL Version 2.0 or a
|
|
81
|
+
later version. Licensor may specify additional Change Licenses without
|
|
82
|
+
limitation.
|
|
83
|
+
|
|
84
|
+
2. To either: (a) specify an additional grant of rights to use that does not
|
|
85
|
+
impose any additional restriction on the right granted in this License, as
|
|
86
|
+
the Additional Use Grant; or (b) insert the text "None" to specify a Change
|
|
87
|
+
Date.
|
|
88
|
+
|
|
89
|
+
3. To specify a Change Date.
|
|
90
|
+
|
|
91
|
+
4. Not to modify this License in any other way.
|
|
92
|
+
|
|
93
|
+
Notice
|
|
94
|
+
|
|
95
|
+
The Business Source License (this document, or the "License") is not an Open
|
|
96
|
+
Source license. However, the Licensed Work will eventually be made available
|
|
97
|
+
under an Open Source License, as stated in this License.
|
|
98
|
+
|
|
99
|
+
For more information on the Business Source License, see
|
|
100
|
+
https://mariadb.com/bsl11/.
|
package/NOTICE
ADDED
package/README.md
ADDED
|
@@ -0,0 +1,434 @@
|
|
|
1
|
+
# wydcode
|
|
2
|
+
|
|
3
|
+
Describe a bug at night; by morning there is a fix waiting that provably could
|
|
4
|
+
not have touched your source tree. `wydcode` gives you a hash-pinned diff to review
|
|
5
|
+
over coffee and promote with one command. The value is not "AI writes code"; a
|
|
6
|
+
dozen tools do that. It is delegation without supervision: leave it alone, get a
|
|
7
|
+
reviewable fix, and keep real writes behind a promotion gate.
|
|
8
|
+
|
|
9
|
+
`wydcode` packages the Socra Harness engine behind a short npm command.
|
|
10
|
+
|
|
11
|
+
`wydcode` is the public npm package and command. The implementation and some
|
|
12
|
+
historical receipts still use the wydcode engine name, and `.socra/`
|
|
13
|
+
remains the on-disk state directory.
|
|
14
|
+
|
|
15
|
+
## License
|
|
16
|
+
|
|
17
|
+
wydcode is source-available under the Business Source License 1.1 (BUSL-1.1).
|
|
18
|
+
You may use it in production except to offer wydcode or wydcode to third
|
|
19
|
+
parties as a commercial hosted service. Each version converts to Apache-2.0 on
|
|
20
|
+
the earlier of its stated Change Date or four years after its first public BUSL
|
|
21
|
+
distribution. This release's Change Date is 2030-07-09. See [LICENSE](LICENSE).
|
|
22
|
+
|
|
23
|
+
## 90-Second Check
|
|
24
|
+
|
|
25
|
+
Prerequisites:
|
|
26
|
+
|
|
27
|
+
- Python `3.11+`
|
|
28
|
+
- `git`
|
|
29
|
+
- `node`
|
|
30
|
+
- `npm`
|
|
31
|
+
- internet access for first install and model pull
|
|
32
|
+
- `ollama` if you use the Ollama commands below
|
|
33
|
+
|
|
34
|
+
For the real-model check, also run an OpenAI-compatible local model endpoint.
|
|
35
|
+
With Ollama:
|
|
36
|
+
|
|
37
|
+
```bash
|
|
38
|
+
# in another terminal, if Ollama is not already running
|
|
39
|
+
ollama serve
|
|
40
|
+
```
|
|
41
|
+
|
|
42
|
+
Then:
|
|
43
|
+
|
|
44
|
+
```bash
|
|
45
|
+
ollama pull qwen2.5-coder:14b
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
Install `wydcode` from npm:
|
|
49
|
+
|
|
50
|
+
```bash
|
|
51
|
+
npm install -g wydcode
|
|
52
|
+
wydcode --help
|
|
53
|
+
```
|
|
54
|
+
|
|
55
|
+
Or install from this checkout:
|
|
56
|
+
|
|
57
|
+
```bash
|
|
58
|
+
npm install -g .
|
|
59
|
+
wydcode --help
|
|
60
|
+
```
|
|
61
|
+
|
|
62
|
+
Or install the Python package directly:
|
|
63
|
+
|
|
64
|
+
```bash
|
|
65
|
+
PYTHON="$(command -v python3.12 || command -v python3.11 || command -v python3)"
|
|
66
|
+
"$PYTHON" - <<'PY'
|
|
67
|
+
import sys
|
|
68
|
+
if sys.version_info < (3, 11):
|
|
69
|
+
raise SystemExit("wydcode requires Python 3.11+. Install Python 3.11+ and rerun this block.")
|
|
70
|
+
PY
|
|
71
|
+
"$PYTHON" -m venv .venv
|
|
72
|
+
source .venv/bin/activate
|
|
73
|
+
python -m pip install --upgrade pip
|
|
74
|
+
python -m pip install -e .
|
|
75
|
+
```
|
|
76
|
+
|
|
77
|
+
Run the fixture loop:
|
|
78
|
+
|
|
79
|
+
```bash
|
|
80
|
+
python scripts/run_product_five_step_check.py \
|
|
81
|
+
--endpoint http://127.0.0.1:11434/v1 \
|
|
82
|
+
--model qwen2.5-coder:14b \
|
|
83
|
+
--receipt-scope local_workstation_smoke \
|
|
84
|
+
--keep-workdir
|
|
85
|
+
```
|
|
86
|
+
|
|
87
|
+
Expected shape:
|
|
88
|
+
|
|
89
|
+
```text
|
|
90
|
+
git init: exit=0
|
|
91
|
+
git add: exit=0
|
|
92
|
+
git commit fixture: exit=0
|
|
93
|
+
wydcode init: exit=0
|
|
94
|
+
wydcode fix: exit=0
|
|
95
|
+
wydcode review: exit=0
|
|
96
|
+
wydcode approve: exit=0
|
|
97
|
+
wydcode promote: exit=0
|
|
98
|
+
npm test real tree: exit=0
|
|
99
|
+
receipt: .../docs/generated/product_five_step_check_latest.json
|
|
100
|
+
wydcode_setup_under_five_minutes: True
|
|
101
|
+
```
|
|
102
|
+
|
|
103
|
+
The fixture starts with:
|
|
104
|
+
|
|
105
|
+
```js
|
|
106
|
+
export function add(a, b) {
|
|
107
|
+
return a - b;
|
|
108
|
+
}
|
|
109
|
+
```
|
|
110
|
+
|
|
111
|
+
The promoted real tree should end with:
|
|
112
|
+
|
|
113
|
+
```js
|
|
114
|
+
export function add(a, b) {
|
|
115
|
+
return a + b;
|
|
116
|
+
}
|
|
117
|
+
```
|
|
118
|
+
|
|
119
|
+
## Product Flow
|
|
120
|
+
|
|
121
|
+
Initialize a git repo:
|
|
122
|
+
|
|
123
|
+
```bash
|
|
124
|
+
wydcode init \
|
|
125
|
+
--project ./my-repo \
|
|
126
|
+
--endpoint http://127.0.0.1:11434/v1 \
|
|
127
|
+
--model qwen2.5-coder:14b
|
|
128
|
+
```
|
|
129
|
+
|
|
130
|
+
Start a fix:
|
|
131
|
+
|
|
132
|
+
```bash
|
|
133
|
+
wydcode fix \
|
|
134
|
+
"In the updateLocale plugin, partial updates to nested locale formats wipe out sibling formats." \
|
|
135
|
+
--project ./my-repo \
|
|
136
|
+
--declared-file src/plugin/updateLocale/index.js
|
|
137
|
+
```
|
|
138
|
+
|
|
139
|
+
Review, then approve and promote or reject:
|
|
140
|
+
|
|
141
|
+
```bash
|
|
142
|
+
wydcode review --project ./my-repo
|
|
143
|
+
wydcode approve --project ./my-repo
|
|
144
|
+
wydcode promote --project ./my-repo
|
|
145
|
+
# Or, when the staged patch is wrong:
|
|
146
|
+
wydcode reject --project ./my-repo --reason "Held-out probe fails for nested arrays"
|
|
147
|
+
```
|
|
148
|
+
|
|
149
|
+
Important expected behavior:
|
|
150
|
+
|
|
151
|
+
```text
|
|
152
|
+
review -> prints the exact dry-run diff and records hashes
|
|
153
|
+
approve -> must be a separate command, bound to the presented diff hash
|
|
154
|
+
reject -> records a terminal human rejection for that hash and exports its trace
|
|
155
|
+
promote -> the only product command that writes the real source tree
|
|
156
|
+
```
|
|
157
|
+
|
|
158
|
+
Every successful promotion, gate-rejected task attempt, and explicit human
|
|
159
|
+
rejection appends a
|
|
160
|
+
content-free trace to the local, cross-project ledger at
|
|
161
|
+
`~/.wydcode/traces/events.jsonl`. MumpixDB maintains a
|
|
162
|
+
rebuildable index of those traces; the hash-chained JSONL remains the source of
|
|
163
|
+
truth. Inspect the growing fix journal or repair a missed export with:
|
|
164
|
+
|
|
165
|
+
```bash
|
|
166
|
+
wydcode traces status
|
|
167
|
+
wydcode traces sync --project ./my-repo
|
|
168
|
+
```
|
|
169
|
+
|
|
170
|
+
`traces status` reports both indexed and pending event counts and exits nonzero
|
|
171
|
+
while pending events exist. A trace is
|
|
172
|
+
durable as soon as it reaches the hash-chained JSONL ledger, but it is not
|
|
173
|
+
available in the rebuildable MumpixDB index until the pending count returns to
|
|
174
|
+
zero. Exact recurrence routing reads and verifies the hash-chained source ledger
|
|
175
|
+
directly; it does not trust approximate index results for route selection.
|
|
176
|
+
`traces sync` exits nonzero when any index update remains incomplete.
|
|
177
|
+
|
|
178
|
+
Trace records contain repository identity, task and model accounting, gate and
|
|
179
|
+
artifact hashes, and changed-file paths. They do not contain source or patch
|
|
180
|
+
content, and they never infer a recurrence family during collection.
|
|
181
|
+
|
|
182
|
+
### Exact Recurrence Retrieval
|
|
183
|
+
|
|
184
|
+
Retrieval is exact-or-abstain. It never uses embeddings, model relevance
|
|
185
|
+
scores, thresholds, nearest neighbors, or approximate fallback. A fix opts in
|
|
186
|
+
with a structured card compiled under the frozen four-field grammar:
|
|
187
|
+
|
|
188
|
+
```bash
|
|
189
|
+
wydcode fix \
|
|
190
|
+
"A later instance violates the same terminal-state invariant" \
|
|
191
|
+
--project ./my-repo \
|
|
192
|
+
--declared-file src/state.js \
|
|
193
|
+
--recurrence-card recurrence-card.json
|
|
194
|
+
```
|
|
195
|
+
|
|
196
|
+
After reading a passing diff, a reviewer may bind behavior rather than source
|
|
197
|
+
or patch text. Minting also requires a passing held-out evidence artifact with
|
|
198
|
+
hidden feedback disabled:
|
|
199
|
+
|
|
200
|
+
```bash
|
|
201
|
+
wydcode approve \
|
|
202
|
+
--project ./my-repo \
|
|
203
|
+
--behavior-card behavior-preference.json \
|
|
204
|
+
--heldout-evidence heldout-evidence.json
|
|
205
|
+
wydcode promote --project ./my-repo
|
|
206
|
+
```
|
|
207
|
+
|
|
208
|
+
The promotion mints a probationary project-scoped `PREFER` gene only when the
|
|
209
|
+
task gate, full-suite milestone, held-out probe, human authorization, bundle
|
|
210
|
+
hash, repository identity, and exact key all agree. A later task fires only
|
|
211
|
+
when exactly one prior gene has the same complete key. Missing keys, collisions,
|
|
212
|
+
project mismatches, and exact task replays abstain.
|
|
213
|
+
Injection also abstains unless the configured context budget preserves the full
|
|
214
|
+
output cap, the existing prompt, and a fixed safety margin; retrieval never
|
|
215
|
+
borrows output headroom.
|
|
216
|
+
|
|
217
|
+
For a paired cold control, create the same frozen task in an isolated checkout
|
|
218
|
+
with `--retrieval disabled`. A route fire or retrieval-backed promotion is not
|
|
219
|
+
by itself a capability lift; that claim requires the gene-backed arm to pass
|
|
220
|
+
where its paired cold arm fails under the same budgets and gates.
|
|
221
|
+
|
|
222
|
+
Examples: [recurrence card](examples/exact-recurrence-card.json),
|
|
223
|
+
[behavior card](examples/behavior-preference-card.json), and
|
|
224
|
+
[held-out evidence](examples/heldout-gene-evidence.json). Existing traces that
|
|
225
|
+
predate this mechanism are not retroactively enriched or treated as genes.
|
|
226
|
+
|
|
227
|
+
### Large-file output contract
|
|
228
|
+
|
|
229
|
+
For a single existing file whose estimated full replacement would consume at
|
|
230
|
+
least 75% of the reserved output budget, wydcode automatically requests exact
|
|
231
|
+
anchored edits instead of a full-file rewrite. Every anchor must match the
|
|
232
|
+
original file exactly once, edit ranges may not overlap, and paths must remain
|
|
233
|
+
inside the declared file set. Missing, repeated, overlapping, mixed-contract,
|
|
234
|
+
or otherwise malformed anchors fail closed before an artifact reaches the test
|
|
235
|
+
overlay. The harness then materializes accepted edits into the same atomic
|
|
236
|
+
sandbox and runs the ordinary syntax, test, review, approval, and promotion
|
|
237
|
+
gates; anchored mode does not bypass or weaken any gate.
|
|
238
|
+
|
|
239
|
+
Gate outcomes distinguish a patch failure from a gate that could not execute.
|
|
240
|
+
A syntax or test failure is evidence against the patch. A missing parser,
|
|
241
|
+
compiler, test runner, or dependency is reported as infrastructure unavailable
|
|
242
|
+
and blocks the task without classifying the patch as bad.
|
|
243
|
+
|
|
244
|
+
Plan-only smoke without a live model:
|
|
245
|
+
|
|
246
|
+
```bash
|
|
247
|
+
wydcode fix \
|
|
248
|
+
"Fix add so it returns the sum" \
|
|
249
|
+
--project ./my-repo \
|
|
250
|
+
--declared-file src/math.js \
|
|
251
|
+
--plan-only
|
|
252
|
+
```
|
|
253
|
+
|
|
254
|
+
## How To Delegate Well
|
|
255
|
+
|
|
256
|
+
Good bug descriptions name the area, plugin, file, function, or error surface.
|
|
257
|
+
This helps `wydcode` choose a narrow first scope or fail closed.
|
|
258
|
+
|
|
259
|
+
Better:
|
|
260
|
+
|
|
261
|
+
```text
|
|
262
|
+
In the updateLocale plugin, partial updates to nested locale formats wipe out sibling formats.
|
|
263
|
+
```
|
|
264
|
+
|
|
265
|
+
Also good:
|
|
266
|
+
|
|
267
|
+
```text
|
|
268
|
+
processValue appears to turn --timestamp into NaN before applyCoercions can run.
|
|
269
|
+
```
|
|
270
|
+
|
|
271
|
+
Weak:
|
|
272
|
+
|
|
273
|
+
```text
|
|
274
|
+
It breaks when I pass a timestamp.
|
|
275
|
+
```
|
|
276
|
+
|
|
277
|
+
If `wydcode` cannot determine a safe file scope, it stops and asks for
|
|
278
|
+
`--declared-file`. That is intentional. Failing closed is a product feature;
|
|
279
|
+
guessing wrong is a bug.
|
|
280
|
+
|
|
281
|
+
## Model Expectations
|
|
282
|
+
|
|
283
|
+
Small local models can be useful behind the gate, but they are not magic. In our
|
|
284
|
+
receipts, `qwen2.5-coder:14b` handled small local JavaScript fixes and failed on
|
|
285
|
+
a real TypeScript library by returning advice instead of a patch. The gate kept
|
|
286
|
+
that failure out of the source tree.
|
|
287
|
+
|
|
288
|
+
Use a stronger model when the repo is large, TypeScript-heavy, cross-file, or
|
|
289
|
+
semantically subtle. `wydcode`'s job is to make the attempt auditable and gated, not
|
|
290
|
+
to pretend every model can fix every bug.
|
|
291
|
+
|
|
292
|
+
## Safety Model
|
|
293
|
+
|
|
294
|
+
`wydcode` is a workspace tool, not a security sandbox.
|
|
295
|
+
|
|
296
|
+
- The model can see the source files included in its prompt.
|
|
297
|
+
- The model writes staged artifacts under `.socra/`.
|
|
298
|
+
- Product source writes require `review -> approve -> promote`.
|
|
299
|
+
- A reviewed patch can instead end with `reject`; that exact artifact hash can
|
|
300
|
+
never be approved afterward.
|
|
301
|
+
- Approval is hash-bound to the exact presented diff.
|
|
302
|
+
- `fix` requires the configured local endpoint to be reachable before creating a
|
|
303
|
+
real job.
|
|
304
|
+
- Hosted fallback is disabled in the generated config.
|
|
305
|
+
- Do not run `wydcode` on repositories containing secrets you would not show to the
|
|
306
|
+
configured model endpoint.
|
|
307
|
+
|
|
308
|
+
See [SECURITY.md](SECURITY.md).
|
|
309
|
+
|
|
310
|
+
## Receipts
|
|
311
|
+
|
|
312
|
+
These are append-only evidence, not marketing claims.
|
|
313
|
+
|
|
314
|
+
| Run | Date | Model | Outcome | Lesson |
|
|
315
|
+
| --- | --- | --- | --- | --- |
|
|
316
|
+
| Clean VM exit test | 2026-07-09 | `qwen2.5-coder:14b` | pass | setup and the five-step loop worked on a fresh Ubuntu VM |
|
|
317
|
+
| Day.js real-repo exam | 2026-07-06 | `ornith-1.0-35b-Q6_K` | 3/5 clean primary passes | even a 35B local model has a real envelope |
|
|
318
|
+
| Overnight Day.js run | 2026-07-09 | `qwen2.5-coder:14b` | `human_rejects_diff` | the gate caught a plausible task-green but semantically unsafe fix |
|
|
319
|
+
| Cold yargs run | 2026-07-09 | `qwen2.5-coder:14b` | `bad_fix_gate_red`, subtype `not_a_patch` | advisory prose died at static review before tests or source writes |
|
|
320
|
+
| Scope inference rerun | 2026-07-09 | `qwen2.5-coder:14b` | scope fixed, patch still rejected | inference improved; model quality remained bounded |
|
|
321
|
+
| Acquisition false-negative audit | 2026-07-12 | `ornith-1.0-35b-Q6_K` | frozen `0/10`; repaired tail `4/5` promoted | failure-layer bucketing found a deterministic newline defect in Wydcode, not a pure model ceiling |
|
|
322
|
+
|
|
323
|
+
Receipt index:
|
|
324
|
+
|
|
325
|
+
- [Generated receipts](docs/generated/README.md)
|
|
326
|
+
- [Public package rehearsal](docs/generated/wydcode_public_rehearsal_20260710.json)
|
|
327
|
+
- [Public full-loop rehearsal](docs/generated/wydcode_full_loop_rehearsal_20260710.json)
|
|
328
|
+
- [Registry action receipt](docs/generated/wydcode_registry_action_20260710.json)
|
|
329
|
+
- [Clean VM exit test](docs/generated/clean_machine_exit_test_lima_qwen_20260709.json)
|
|
330
|
+
- [Overnight Day.js result](docs/generated/overnight_real_repo_run_v1_result.json)
|
|
331
|
+
- [Cold real-issue VM result](docs/generated/cold_real_issue_vm_run_v1_result.json)
|
|
332
|
+
- [Scope inference rerun receipt](docs/generated/scope_inference_after_overnight_arm_a.json)
|
|
333
|
+
- [Frozen acquisition result](docs/generated/ornith35b_acquisition_stopping_result_v1_20260712.json)
|
|
334
|
+
- [Repaired acquisition-tail result](docs/generated/wydcode_final_newline_repair_tail_replication_result_v1_20260712.json)
|
|
335
|
+
- [Moment-to-Day.js transfer writeup](docs/stress_tests/moment_to_dayjs_transfer_writeup.md)
|
|
336
|
+
- [Scope inference v1.1 spec](docs/SCOPE_INFERENCE_V1_1_SPEC.md)
|
|
337
|
+
|
|
338
|
+
## Clean-Machine Exit Test
|
|
339
|
+
|
|
340
|
+
On a fresh Ubuntu/Linux VM:
|
|
341
|
+
|
|
342
|
+
```bash
|
|
343
|
+
bash scripts/run_clean_machine_exit_test_ubuntu.sh
|
|
344
|
+
```
|
|
345
|
+
|
|
346
|
+
The script installs documented prerequisites when needed, starts Ollama, pulls
|
|
347
|
+
`qwen2.5-coder:14b`, installs `wydcode` into a local venv, and runs the five-step
|
|
348
|
+
fixture check with `receipt_scope=clean_machine_exit_test`.
|
|
349
|
+
|
|
350
|
+
Timing is split into:
|
|
351
|
+
|
|
352
|
+
- prerequisite setup: external tools and model acquisition
|
|
353
|
+
- `wydcode` setup: install time plus `wydcode init`
|
|
354
|
+
- fix loop: `fix -> review -> approve -> promote -> npm test`
|
|
355
|
+
|
|
356
|
+
Only `wydcode` setup is the under-five-minute setup claim. Model pull and inference
|
|
357
|
+
time are reported separately.
|
|
358
|
+
|
|
359
|
+
## Stranger-Test Protocol
|
|
360
|
+
|
|
361
|
+
This is the launch gate.
|
|
362
|
+
|
|
363
|
+
- two people who have never seen the project
|
|
364
|
+
- README only
|
|
365
|
+
- no coaching, hints, or touching their machine
|
|
366
|
+
- success means the fixture loop completes unassisted
|
|
367
|
+
- every stall is copied verbatim as a docs bug
|
|
368
|
+
- if either person stalls, patch docs and rerun with a fresh stranger
|
|
369
|
+
- if both pass, launch
|
|
370
|
+
|
|
371
|
+
## Pre-Launch Gate
|
|
372
|
+
|
|
373
|
+
- The repository must be public before Show HN or stranger testing.
|
|
374
|
+
- The npm metadata links must resolve publicly before the next public publish.
|
|
375
|
+
- The two-stranger gate must pass before the launch post is published.
|
|
376
|
+
|
|
377
|
+
## Source And Contributions
|
|
378
|
+
|
|
379
|
+
The source is licensed under BUSL-1.1; see [LICENSE](LICENSE). The `wydcode`,
|
|
380
|
+
wydcode, Socra, and MumpixDB names and logos are not licensed with the
|
|
381
|
+
source; see [TRADEMARKS.md](TRADEMARKS.md).
|
|
382
|
+
|
|
383
|
+
Security reports belong in the repository's private vulnerability-reporting
|
|
384
|
+
form, not a public issue. External code contributions require the contributor
|
|
385
|
+
terms described in [CONTRIBUTING.md](CONTRIBUTING.md) before merge.
|
|
386
|
+
|
|
387
|
+
## Current Limits
|
|
388
|
+
|
|
389
|
+
- v1 scope inference uses path and filename signals. v1.1 will add
|
|
390
|
+
content-token rarity matching; see [Scope Inference v1.1](docs/SCOPE_INFERENCE_V1_1_SPEC.md).
|
|
391
|
+
- Historical receipts may mention `socra`, `wydcode`, or wydcode.
|
|
392
|
+
Those are the engine and pre-public-name labels; the public package and command
|
|
393
|
+
are `wydcode`.
|
|
394
|
+
- The project is local-first. It assumes you control the endpoint you configure.
|
|
395
|
+
|
|
396
|
+
## Additional Harness Tools
|
|
397
|
+
|
|
398
|
+
Start an interactive local GGUF session:
|
|
399
|
+
|
|
400
|
+
```bash
|
|
401
|
+
wydcode start
|
|
402
|
+
```
|
|
403
|
+
|
|
404
|
+
Serve a GGUF through the local OpenAI-compatible endpoint:
|
|
405
|
+
|
|
406
|
+
```bash
|
|
407
|
+
wydcode serve \
|
|
408
|
+
--model ~/models/model.gguf \
|
|
409
|
+
--llama-server /path/to/llama-server \
|
|
410
|
+
--alias MyLocalCoder \
|
|
411
|
+
--port 11439
|
|
412
|
+
```
|
|
413
|
+
|
|
414
|
+
Benchmark a GGUF:
|
|
415
|
+
|
|
416
|
+
```bash
|
|
417
|
+
wydcode eval humaneval \
|
|
418
|
+
--model ~/models/model.gguf \
|
|
419
|
+
--llama-cli /path/to/llama-cli \
|
|
420
|
+
--tasks /path/to/humaneval.jsonl \
|
|
421
|
+
--mode socra
|
|
422
|
+
```
|
|
423
|
+
|
|
424
|
+
Scan a repo for repeatable candidates:
|
|
425
|
+
|
|
426
|
+
```bash
|
|
427
|
+
wydcode scan ./my-repo --out .socra/candidates.json
|
|
428
|
+
```
|
|
429
|
+
|
|
430
|
+
Show status:
|
|
431
|
+
|
|
432
|
+
```bash
|
|
433
|
+
wydcode status --project ./my-repo
|
|
434
|
+
```
|
package/SECURITY.md
ADDED
|
@@ -0,0 +1,64 @@
|
|
|
1
|
+
# Security
|
|
2
|
+
|
|
3
|
+
`wydcode` is a local workspace tool, not a security sandbox.
|
|
4
|
+
|
|
5
|
+
The internal engine and historical receipts may still use the Socra Harness
|
|
6
|
+
name. The public command and npm package are `wydcode`; `.socra/` remains the
|
|
7
|
+
state directory.
|
|
8
|
+
|
|
9
|
+
## What `wydcode` Does Protect
|
|
10
|
+
|
|
11
|
+
- Source changes are staged under `.socra/` before promotion.
|
|
12
|
+
- `review` presents a dry-run diff and records artifact hashes.
|
|
13
|
+
- `approve` is a separate command and is bound to the presented diff hash.
|
|
14
|
+
- `promote` is the only product command that writes the real source tree.
|
|
15
|
+
- Generated config disables hosted fallback by default.
|
|
16
|
+
- Validated-fix traces stay local under `~/.wydcode/traces` and contain hashes
|
|
17
|
+
and metadata, not source or patch content.
|
|
18
|
+
|
|
19
|
+
## What `wydcode` Does Not Protect
|
|
20
|
+
|
|
21
|
+
- It does not make an untrusted model safe.
|
|
22
|
+
- It does not hide prompted source files from the configured model endpoint.
|
|
23
|
+
- It does not prevent a malicious local endpoint from logging prompts.
|
|
24
|
+
- It does not sandbox arbitrary dependency install scripts.
|
|
25
|
+
- It does not replace git, backups, code review, or CI.
|
|
26
|
+
|
|
27
|
+
## Safe Use
|
|
28
|
+
|
|
29
|
+
- Run `wydcode` only in git repositories.
|
|
30
|
+
- Start with small, module-scoped fixes.
|
|
31
|
+
- Use `--declared-file` when you know the file.
|
|
32
|
+
- Read the diff before approving it.
|
|
33
|
+
- Do not run `wydcode` on repositories containing secrets you would not send to the
|
|
34
|
+
configured local endpoint.
|
|
35
|
+
- Prefer disposable VMs or containers for unfamiliar repositories.
|
|
36
|
+
|
|
37
|
+
## Network And Installs
|
|
38
|
+
|
|
39
|
+
Product `fix` uses the endpoint recorded in `.socra/config.json`.
|
|
40
|
+
|
|
41
|
+
The cross-project trace ledger and its MumpixDB index are local files. No trace
|
|
42
|
+
upload or hosted fallback occurs. Set `WYDCODE_TRACE_HOME` to move the store to
|
|
43
|
+
another local volume.
|
|
44
|
+
|
|
45
|
+
The hash-chained JSONL ledger is authoritative; the MumpixDB index is derived.
|
|
46
|
+
Treat a nonzero `wydcode traces status` pending count as an evidence-integrity
|
|
47
|
+
failure and run `wydcode traces sync --project .` before relying on retrieval.
|
|
48
|
+
The CLI surfaces index failures without rolling back an already-applied,
|
|
49
|
+
hash-receipted promotion.
|
|
50
|
+
|
|
51
|
+
Interactive sandbox commands are separate from product promotion. If you enable
|
|
52
|
+
network or install access for interactive agents, keep it inside disposable
|
|
53
|
+
sandbox workspaces and review outputs before copying anything into source.
|
|
54
|
+
|
|
55
|
+
## Reporting
|
|
56
|
+
|
|
57
|
+
Do not open a public issue for a suspected vulnerability or leaked credential.
|
|
58
|
+
Use GitHub's private vulnerability-reporting form for this repository:
|
|
59
|
+
|
|
60
|
+
https://github.com/mumpix/wydcode/security/advisories/new
|
|
61
|
+
|
|
62
|
+
Include the affected version, reproduction steps, impact, and any suggested
|
|
63
|
+
mitigation. If the report includes a credential, provide only enough of the
|
|
64
|
+
value to identify it; never paste a complete live secret.
|
package/SOCRA_SOURCE.md
ADDED
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
# Socra Source Provenance
|
|
2
|
+
|
|
3
|
+
This npm package is the `wydcode` public distribution of the Socra Harness
|
|
4
|
+
engine. The public command and npm package are `wydcode`; the Python module and
|
|
5
|
+
some historical receipts still use the `socra_harness` / Socra Harness engine
|
|
6
|
+
name.
|
|
7
|
+
|
|
8
|
+
Canonical source repository:
|
|
9
|
+
|
|
10
|
+
```text
|
|
11
|
+
https://github.com/mumpix/wydcode
|
|
12
|
+
```
|
|
13
|
+
|
|
14
|
+
The source tree location is the repository root. Provenance identity is the
|
|
15
|
+
commit below; it never includes a builder-specific absolute path.
|
|
16
|
+
|
|
17
|
+
Canonical source reference used for `wydcode@0.4.3`:
|
|
18
|
+
|
|
19
|
+
```text
|
|
20
|
+
bd6e4f2a51f24f8ffaf30c5976f82d7fae5040f9
|
|
21
|
+
```
|
|
22
|
+
|
|
23
|
+
Source status:
|
|
24
|
+
|
|
25
|
+
```text
|
|
26
|
+
clean
|
|
27
|
+
```
|
|
28
|
+
|
|
29
|
+
Policy:
|
|
30
|
+
|
|
31
|
+
- Changes land in the canonical source tree first.
|
|
32
|
+
- `wydcode` is the public npm install identity.
|
|
33
|
+
- Changes should land in the canonical tree first, then this package should be
|
|
34
|
+
regenerated from a pinned commit with `scripts/build_wydcode_package.sh`.
|
|
35
|
+
- Rehearsals for stranger-facing docs must use the public command name
|
|
36
|
+
`wydcode`, not only the internal `socra-harness` alias.
|
package/TRADEMARKS.md
ADDED
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
# Trademarks
|
|
2
|
+
|
|
3
|
+
`wydcode`, Socra Harness, Socra, MumpixDB, their logos, and associated product
|
|
4
|
+
branding are marks of MumpixDB.
|
|
5
|
+
|
|
6
|
+
The software license does not grant permission to use these marks to identify,
|
|
7
|
+
promote, or imply endorsement of a modified product or commercial service.
|
|
8
|
+
Accurate, nominative references to the unmodified project are permitted.
|
|
9
|
+
|
|
10
|
+
Forks must use distinct names and branding unless MumpixDB grants written
|
|
11
|
+
permission. Nothing in this policy limits rights that cannot be restricted by
|
|
12
|
+
applicable law.
|