wydcode 0.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/LICENSE +100 -0
  2. package/NOTICE +5 -0
  3. package/README.md +434 -0
  4. package/SECURITY.md +64 -0
  5. package/SOCRA_SOURCE.md +36 -0
  6. package/TRADEMARKS.md +12 -0
  7. package/bin/wydcode.js +74 -0
  8. package/examples/behavior-preference-card.json +12 -0
  9. package/examples/exact-recurrence-card.json +11 -0
  10. package/examples/heldout-gene-evidence.json +6 -0
  11. package/examples/humaneval-ornith.md +29 -0
  12. package/examples/large_context_json_diagnostic.py +187 -0
  13. package/fixtures/failing-node-repo/package.json +9 -0
  14. package/fixtures/failing-node-repo/src/math.js +3 -0
  15. package/fixtures/failing-node-repo/test/math.test.js +8 -0
  16. package/package.json +55 -0
  17. package/pyproject.toml +24 -0
  18. package/socra_harness/__init__.py +3 -0
  19. package/socra_harness/attempts.py +76 -0
  20. package/socra_harness/central_traces.py +627 -0
  21. package/socra_harness/cli.py +265 -0
  22. package/socra_harness/eval/__init__.py +1 -0
  23. package/socra_harness/eval/humaneval.py +388 -0
  24. package/socra_harness/events.py +39 -0
  25. package/socra_harness/init.py +206 -0
  26. package/socra_harness/job/__init__.py +2 -0
  27. package/socra_harness/job/events.py +132 -0
  28. package/socra_harness/job/lock.py +90 -0
  29. package/socra_harness/job/manager.py +3785 -0
  30. package/socra_harness/job/planner.py +253 -0
  31. package/socra_harness/job/state.py +106 -0
  32. package/socra_harness/mumpix_trace_bridge.cjs +32 -0
  33. package/socra_harness/product.py +533 -0
  34. package/socra_harness/recurrence.py +263 -0
  35. package/socra_harness/scan/__init__.py +1 -0
  36. package/socra_harness/scan/repo.py +85 -0
  37. package/socra_harness/serve/__init__.py +1 -0
  38. package/socra_harness/serve/local_proxy.py +293 -0
  39. package/socra_harness/start.py +331 -0
  40. package/socra_harness/tui/__init__.py +1 -0
  41. package/socra_harness/tui/app.py +1114 -0
package/LICENSE ADDED
@@ -0,0 +1,100 @@
1
+ Business Source License 1.1
2
+
3
+ Parameters
4
+
5
+ Licensor: MumpixDB
6
+
7
+ Licensed Work: wydcode and Socra Harness source code, compiled binaries,
8
+ build tooling, and documentation distributed in this
9
+ repository.
10
+
11
+ Additional Use Grant: You may make production use of the Licensed Work, provided
12
+ Your use does not include offering the Licensed Work to
13
+ third parties as a commercial hosted service.
14
+
15
+ Change Date: 2030-07-09
16
+
17
+ Change License: Apache License, Version 2.0
18
+
19
+ For alternative licensing arrangements, contact MumpixDB.
20
+
21
+ Business Source License 1.1
22
+
23
+ License text copyright (c) 2024 MariaDB plc, All Rights Reserved.
24
+ "Business Source License" is a trademark of MariaDB plc.
25
+
26
+ Terms
27
+
28
+ The Licensor hereby grants you the right to copy, modify, create derivative
29
+ works, redistribute, and make non-production use of the Licensed Work. The
30
+ Licensor may make an Additional Use Grant, above, permitting limited production
31
+ use.
32
+
33
+ Effective on the Change Date, or the fourth anniversary of the first publicly
34
+ available distribution of a specific version of the Licensed Work under this
35
+ License, whichever comes first, the Licensor hereby grants you rights under the
36
+ terms of the Change License, and the rights granted in the paragraph above
37
+ terminate.
38
+
39
+ If your use of the Licensed Work does not comply with the requirements currently
40
+ in effect as described in this License, you must purchase a commercial license
41
+ from the Licensor, its affiliated entities, or authorized resellers, or you must
42
+ refrain from using the Licensed Work.
43
+
44
+ All copies of the original and modified Licensed Work, and derivative works of
45
+ the Licensed Work, are subject to this License. This License applies separately
46
+ for each version of the Licensed Work and the Change Date may vary for each
47
+ version of the Licensed Work released by Licensor.
48
+
49
+ You must conspicuously display this License on each original or modified copy of
50
+ the Licensed Work. If you receive the Licensed Work in original or modified form
51
+ from a third party, the terms and conditions set forth in this License apply to
52
+ your use of that work.
53
+
54
+ Any use of the Licensed Work in violation of this License will automatically
55
+ terminate your rights under this License for the current and all other versions
56
+ of the Licensed Work.
57
+
58
+ This License does not grant you any right in any trademark or logo of Licensor
59
+ or its affiliates (provided that you may use a trademark or logo of Licensor as
60
+ expressly required by this License).
61
+
62
+ TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON AN
63
+ "AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
64
+ EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
65
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND TITLE.
66
+
67
+ MariaDB hereby grants you permission to use this License's text to license your
68
+ works, and to refer to it using the trademark "Business Source License", as long
69
+ as you comply with the Covenants of Licensor below.
70
+
71
+ Covenants of Licensor
72
+
73
+ In consideration of the right to use this License's text and the "Business Source
74
+ License" name and trademark, Licensor covenants to MariaDB, and to all other
75
+ recipients of the licensed work to be provided by Licensor:
76
+
77
+ 1. To specify as the Change License the GPL Version 2.0 or any later version,
78
+ or a license that is compatible with GPL Version 2.0 or a later version,
79
+ where "compatible" means that software provided under the Change License can
80
+ be included in a program with software provided under GPL Version 2.0 or a
81
+ later version. Licensor may specify additional Change Licenses without
82
+ limitation.
83
+
84
+ 2. To either: (a) specify an additional grant of rights to use that does not
85
+ impose any additional restriction on the right granted in this License, as
86
+ the Additional Use Grant; or (b) insert the text "None" to specify a Change
87
+ Date.
88
+
89
+ 3. To specify a Change Date.
90
+
91
+ 4. Not to modify this License in any other way.
92
+
93
+ Notice
94
+
95
+ The Business Source License (this document, or the "License") is not an Open
96
+ Source license. However, the Licensed Work will eventually be made available
97
+ under an Open Source License, as stated in this License.
98
+
99
+ For more information on the Business Source License, see
100
+ https://mariadb.com/bsl11/.
package/NOTICE ADDED
@@ -0,0 +1,5 @@
1
+ wydcode and Socra Harness
2
+ Copyright 2026 MumpixDB. All rights reserved.
3
+
4
+ The source code is made available under the Business Source License 1.1 in
5
+ LICENSE. That license does not grant trademark rights.
package/README.md ADDED
@@ -0,0 +1,434 @@
1
+ # wydcode
2
+
3
+ Describe a bug at night; by morning there is a fix waiting that provably could
4
+ not have touched your source tree. `wydcode` gives you a hash-pinned diff to review
5
+ over coffee and promote with one command. The value is not "AI writes code"; a
6
+ dozen tools do that. It is delegation without supervision: leave it alone, get a
7
+ reviewable fix, and keep real writes behind a promotion gate.
8
+
9
+ `wydcode` packages the Socra Harness engine behind a short npm command.
10
+
11
+ `wydcode` is the public npm package and command. The implementation and some
12
+ historical receipts still use the wydcode engine name, and `.socra/`
13
+ remains the on-disk state directory.
14
+
15
+ ## License
16
+
17
+ wydcode is source-available under the Business Source License 1.1 (BUSL-1.1).
18
+ You may use it in production except to offer wydcode or wydcode to third
19
+ parties as a commercial hosted service. Each version converts to Apache-2.0 on
20
+ the earlier of its stated Change Date or four years after its first public BUSL
21
+ distribution. This release's Change Date is 2030-07-09. See [LICENSE](LICENSE).
22
+
23
+ ## 90-Second Check
24
+
25
+ Prerequisites:
26
+
27
+ - Python `3.11+`
28
+ - `git`
29
+ - `node`
30
+ - `npm`
31
+ - internet access for first install and model pull
32
+ - `ollama` if you use the Ollama commands below
33
+
34
+ For the real-model check, also run an OpenAI-compatible local model endpoint.
35
+ With Ollama:
36
+
37
+ ```bash
38
+ # in another terminal, if Ollama is not already running
39
+ ollama serve
40
+ ```
41
+
42
+ Then:
43
+
44
+ ```bash
45
+ ollama pull qwen2.5-coder:14b
46
+ ```
47
+
48
+ Install `wydcode` from npm:
49
+
50
+ ```bash
51
+ npm install -g wydcode
52
+ wydcode --help
53
+ ```
54
+
55
+ Or install from this checkout:
56
+
57
+ ```bash
58
+ npm install -g .
59
+ wydcode --help
60
+ ```
61
+
62
+ Or install the Python package directly:
63
+
64
+ ```bash
65
+ PYTHON="$(command -v python3.12 || command -v python3.11 || command -v python3)"
66
+ "$PYTHON" - <<'PY'
67
+ import sys
68
+ if sys.version_info < (3, 11):
69
+ raise SystemExit("wydcode requires Python 3.11+. Install Python 3.11+ and rerun this block.")
70
+ PY
71
+ "$PYTHON" -m venv .venv
72
+ source .venv/bin/activate
73
+ python -m pip install --upgrade pip
74
+ python -m pip install -e .
75
+ ```
76
+
77
+ Run the fixture loop:
78
+
79
+ ```bash
80
+ python scripts/run_product_five_step_check.py \
81
+ --endpoint http://127.0.0.1:11434/v1 \
82
+ --model qwen2.5-coder:14b \
83
+ --receipt-scope local_workstation_smoke \
84
+ --keep-workdir
85
+ ```
86
+
87
+ Expected shape:
88
+
89
+ ```text
90
+ git init: exit=0
91
+ git add: exit=0
92
+ git commit fixture: exit=0
93
+ wydcode init: exit=0
94
+ wydcode fix: exit=0
95
+ wydcode review: exit=0
96
+ wydcode approve: exit=0
97
+ wydcode promote: exit=0
98
+ npm test real tree: exit=0
99
+ receipt: .../docs/generated/product_five_step_check_latest.json
100
+ wydcode_setup_under_five_minutes: True
101
+ ```
102
+
103
+ The fixture starts with:
104
+
105
+ ```js
106
+ export function add(a, b) {
107
+ return a - b;
108
+ }
109
+ ```
110
+
111
+ The promoted real tree should end with:
112
+
113
+ ```js
114
+ export function add(a, b) {
115
+ return a + b;
116
+ }
117
+ ```
118
+
119
+ ## Product Flow
120
+
121
+ Initialize a git repo:
122
+
123
+ ```bash
124
+ wydcode init \
125
+ --project ./my-repo \
126
+ --endpoint http://127.0.0.1:11434/v1 \
127
+ --model qwen2.5-coder:14b
128
+ ```
129
+
130
+ Start a fix:
131
+
132
+ ```bash
133
+ wydcode fix \
134
+ "In the updateLocale plugin, partial updates to nested locale formats wipe out sibling formats." \
135
+ --project ./my-repo \
136
+ --declared-file src/plugin/updateLocale/index.js
137
+ ```
138
+
139
+ Review, then approve and promote or reject:
140
+
141
+ ```bash
142
+ wydcode review --project ./my-repo
143
+ wydcode approve --project ./my-repo
144
+ wydcode promote --project ./my-repo
145
+ # Or, when the staged patch is wrong:
146
+ wydcode reject --project ./my-repo --reason "Held-out probe fails for nested arrays"
147
+ ```
148
+
149
+ Important expected behavior:
150
+
151
+ ```text
152
+ review -> prints the exact dry-run diff and records hashes
153
+ approve -> must be a separate command, bound to the presented diff hash
154
+ reject -> records a terminal human rejection for that hash and exports its trace
155
+ promote -> the only product command that writes the real source tree
156
+ ```
157
+
158
+ Every successful promotion, gate-rejected task attempt, and explicit human
159
+ rejection appends a
160
+ content-free trace to the local, cross-project ledger at
161
+ `~/.wydcode/traces/events.jsonl`. MumpixDB maintains a
162
+ rebuildable index of those traces; the hash-chained JSONL remains the source of
163
+ truth. Inspect the growing fix journal or repair a missed export with:
164
+
165
+ ```bash
166
+ wydcode traces status
167
+ wydcode traces sync --project ./my-repo
168
+ ```
169
+
170
+ `traces status` reports both indexed and pending event counts and exits nonzero
171
+ while pending events exist. A trace is
172
+ durable as soon as it reaches the hash-chained JSONL ledger, but it is not
173
+ available in the rebuildable MumpixDB index until the pending count returns to
174
+ zero. Exact recurrence routing reads and verifies the hash-chained source ledger
175
+ directly; it does not trust approximate index results for route selection.
176
+ `traces sync` exits nonzero when any index update remains incomplete.
177
+
178
+ Trace records contain repository identity, task and model accounting, gate and
179
+ artifact hashes, and changed-file paths. They do not contain source or patch
180
+ content, and they never infer a recurrence family during collection.
181
+
182
+ ### Exact Recurrence Retrieval
183
+
184
+ Retrieval is exact-or-abstain. It never uses embeddings, model relevance
185
+ scores, thresholds, nearest neighbors, or approximate fallback. A fix opts in
186
+ with a structured card compiled under the frozen four-field grammar:
187
+
188
+ ```bash
189
+ wydcode fix \
190
+ "A later instance violates the same terminal-state invariant" \
191
+ --project ./my-repo \
192
+ --declared-file src/state.js \
193
+ --recurrence-card recurrence-card.json
194
+ ```
195
+
196
+ After reading a passing diff, a reviewer may bind behavior rather than source
197
+ or patch text. Minting also requires a passing held-out evidence artifact with
198
+ hidden feedback disabled:
199
+
200
+ ```bash
201
+ wydcode approve \
202
+ --project ./my-repo \
203
+ --behavior-card behavior-preference.json \
204
+ --heldout-evidence heldout-evidence.json
205
+ wydcode promote --project ./my-repo
206
+ ```
207
+
208
+ The promotion mints a probationary project-scoped `PREFER` gene only when the
209
+ task gate, full-suite milestone, held-out probe, human authorization, bundle
210
+ hash, repository identity, and exact key all agree. A later task fires only
211
+ when exactly one prior gene has the same complete key. Missing keys, collisions,
212
+ project mismatches, and exact task replays abstain.
213
+ Injection also abstains unless the configured context budget preserves the full
214
+ output cap, the existing prompt, and a fixed safety margin; retrieval never
215
+ borrows output headroom.
216
+
217
+ For a paired cold control, create the same frozen task in an isolated checkout
218
+ with `--retrieval disabled`. A route fire or retrieval-backed promotion is not
219
+ by itself a capability lift; that claim requires the gene-backed arm to pass
220
+ where its paired cold arm fails under the same budgets and gates.
221
+
222
+ Examples: [recurrence card](examples/exact-recurrence-card.json),
223
+ [behavior card](examples/behavior-preference-card.json), and
224
+ [held-out evidence](examples/heldout-gene-evidence.json). Existing traces that
225
+ predate this mechanism are not retroactively enriched or treated as genes.
226
+
227
+ ### Large-file output contract
228
+
229
+ For a single existing file whose estimated full replacement would consume at
230
+ least 75% of the reserved output budget, wydcode automatically requests exact
231
+ anchored edits instead of a full-file rewrite. Every anchor must match the
232
+ original file exactly once, edit ranges may not overlap, and paths must remain
233
+ inside the declared file set. Missing, repeated, overlapping, mixed-contract,
234
+ or otherwise malformed anchors fail closed before an artifact reaches the test
235
+ overlay. The harness then materializes accepted edits into the same atomic
236
+ sandbox and runs the ordinary syntax, test, review, approval, and promotion
237
+ gates; anchored mode does not bypass or weaken any gate.
238
+
239
+ Gate outcomes distinguish a patch failure from a gate that could not execute.
240
+ A syntax or test failure is evidence against the patch. A missing parser,
241
+ compiler, test runner, or dependency is reported as infrastructure unavailable
242
+ and blocks the task without classifying the patch as bad.
243
+
244
+ Plan-only smoke without a live model:
245
+
246
+ ```bash
247
+ wydcode fix \
248
+ "Fix add so it returns the sum" \
249
+ --project ./my-repo \
250
+ --declared-file src/math.js \
251
+ --plan-only
252
+ ```
253
+
254
+ ## How To Delegate Well
255
+
256
+ Good bug descriptions name the area, plugin, file, function, or error surface.
257
+ This helps `wydcode` choose a narrow first scope or fail closed.
258
+
259
+ Better:
260
+
261
+ ```text
262
+ In the updateLocale plugin, partial updates to nested locale formats wipe out sibling formats.
263
+ ```
264
+
265
+ Also good:
266
+
267
+ ```text
268
+ processValue appears to turn --timestamp into NaN before applyCoercions can run.
269
+ ```
270
+
271
+ Weak:
272
+
273
+ ```text
274
+ It breaks when I pass a timestamp.
275
+ ```
276
+
277
+ If `wydcode` cannot determine a safe file scope, it stops and asks for
278
+ `--declared-file`. That is intentional. Failing closed is a product feature;
279
+ guessing wrong is a bug.
280
+
281
+ ## Model Expectations
282
+
283
+ Small local models can be useful behind the gate, but they are not magic. In our
284
+ receipts, `qwen2.5-coder:14b` handled small local JavaScript fixes and failed on
285
+ a real TypeScript library by returning advice instead of a patch. The gate kept
286
+ that failure out of the source tree.
287
+
288
+ Use a stronger model when the repo is large, TypeScript-heavy, cross-file, or
289
+ semantically subtle. `wydcode`'s job is to make the attempt auditable and gated, not
290
+ to pretend every model can fix every bug.
291
+
292
+ ## Safety Model
293
+
294
+ `wydcode` is a workspace tool, not a security sandbox.
295
+
296
+ - The model can see the source files included in its prompt.
297
+ - The model writes staged artifacts under `.socra/`.
298
+ - Product source writes require `review -> approve -> promote`.
299
+ - A reviewed patch can instead end with `reject`; that exact artifact hash can
300
+ never be approved afterward.
301
+ - Approval is hash-bound to the exact presented diff.
302
+ - `fix` requires the configured local endpoint to be reachable before creating a
303
+ real job.
304
+ - Hosted fallback is disabled in the generated config.
305
+ - Do not run `wydcode` on repositories containing secrets you would not show to the
306
+ configured model endpoint.
307
+
308
+ See [SECURITY.md](SECURITY.md).
309
+
310
+ ## Receipts
311
+
312
+ These are append-only evidence, not marketing claims.
313
+
314
+ | Run | Date | Model | Outcome | Lesson |
315
+ | --- | --- | --- | --- | --- |
316
+ | Clean VM exit test | 2026-07-09 | `qwen2.5-coder:14b` | pass | setup and the five-step loop worked on a fresh Ubuntu VM |
317
+ | Day.js real-repo exam | 2026-07-06 | `ornith-1.0-35b-Q6_K` | 3/5 clean primary passes | even a 35B local model has a real envelope |
318
+ | Overnight Day.js run | 2026-07-09 | `qwen2.5-coder:14b` | `human_rejects_diff` | the gate caught a plausible task-green but semantically unsafe fix |
319
+ | Cold yargs run | 2026-07-09 | `qwen2.5-coder:14b` | `bad_fix_gate_red`, subtype `not_a_patch` | advisory prose died at static review before tests or source writes |
320
+ | Scope inference rerun | 2026-07-09 | `qwen2.5-coder:14b` | scope fixed, patch still rejected | inference improved; model quality remained bounded |
321
+ | Acquisition false-negative audit | 2026-07-12 | `ornith-1.0-35b-Q6_K` | frozen `0/10`; repaired tail `4/5` promoted | failure-layer bucketing found a deterministic newline defect in Wydcode, not a pure model ceiling |
322
+
323
+ Receipt index:
324
+
325
+ - [Generated receipts](docs/generated/README.md)
326
+ - [Public package rehearsal](docs/generated/wydcode_public_rehearsal_20260710.json)
327
+ - [Public full-loop rehearsal](docs/generated/wydcode_full_loop_rehearsal_20260710.json)
328
+ - [Registry action receipt](docs/generated/wydcode_registry_action_20260710.json)
329
+ - [Clean VM exit test](docs/generated/clean_machine_exit_test_lima_qwen_20260709.json)
330
+ - [Overnight Day.js result](docs/generated/overnight_real_repo_run_v1_result.json)
331
+ - [Cold real-issue VM result](docs/generated/cold_real_issue_vm_run_v1_result.json)
332
+ - [Scope inference rerun receipt](docs/generated/scope_inference_after_overnight_arm_a.json)
333
+ - [Frozen acquisition result](docs/generated/ornith35b_acquisition_stopping_result_v1_20260712.json)
334
+ - [Repaired acquisition-tail result](docs/generated/wydcode_final_newline_repair_tail_replication_result_v1_20260712.json)
335
+ - [Moment-to-Day.js transfer writeup](docs/stress_tests/moment_to_dayjs_transfer_writeup.md)
336
+ - [Scope inference v1.1 spec](docs/SCOPE_INFERENCE_V1_1_SPEC.md)
337
+
338
+ ## Clean-Machine Exit Test
339
+
340
+ On a fresh Ubuntu/Linux VM:
341
+
342
+ ```bash
343
+ bash scripts/run_clean_machine_exit_test_ubuntu.sh
344
+ ```
345
+
346
+ The script installs documented prerequisites when needed, starts Ollama, pulls
347
+ `qwen2.5-coder:14b`, installs `wydcode` into a local venv, and runs the five-step
348
+ fixture check with `receipt_scope=clean_machine_exit_test`.
349
+
350
+ Timing is split into:
351
+
352
+ - prerequisite setup: external tools and model acquisition
353
+ - `wydcode` setup: install time plus `wydcode init`
354
+ - fix loop: `fix -> review -> approve -> promote -> npm test`
355
+
356
+ Only `wydcode` setup is the under-five-minute setup claim. Model pull and inference
357
+ time are reported separately.
358
+
359
+ ## Stranger-Test Protocol
360
+
361
+ This is the launch gate.
362
+
363
+ - two people who have never seen the project
364
+ - README only
365
+ - no coaching, hints, or touching their machine
366
+ - success means the fixture loop completes unassisted
367
+ - every stall is copied verbatim as a docs bug
368
+ - if either person stalls, patch docs and rerun with a fresh stranger
369
+ - if both pass, launch
370
+
371
+ ## Pre-Launch Gate
372
+
373
+ - The repository must be public before Show HN or stranger testing.
374
+ - The npm metadata links must resolve publicly before the next public publish.
375
+ - The two-stranger gate must pass before the launch post is published.
376
+
377
+ ## Source And Contributions
378
+
379
+ The source is licensed under BUSL-1.1; see [LICENSE](LICENSE). The `wydcode`,
380
+ wydcode, Socra, and MumpixDB names and logos are not licensed with the
381
+ source; see [TRADEMARKS.md](TRADEMARKS.md).
382
+
383
+ Security reports belong in the repository's private vulnerability-reporting
384
+ form, not a public issue. External code contributions require the contributor
385
+ terms described in [CONTRIBUTING.md](CONTRIBUTING.md) before merge.
386
+
387
+ ## Current Limits
388
+
389
+ - v1 scope inference uses path and filename signals. v1.1 will add
390
+ content-token rarity matching; see [Scope Inference v1.1](docs/SCOPE_INFERENCE_V1_1_SPEC.md).
391
+ - Historical receipts may mention `socra`, `wydcode`, or wydcode.
392
+ Those are the engine and pre-public-name labels; the public package and command
393
+ are `wydcode`.
394
+ - The project is local-first. It assumes you control the endpoint you configure.
395
+
396
+ ## Additional Harness Tools
397
+
398
+ Start an interactive local GGUF session:
399
+
400
+ ```bash
401
+ wydcode start
402
+ ```
403
+
404
+ Serve a GGUF through the local OpenAI-compatible endpoint:
405
+
406
+ ```bash
407
+ wydcode serve \
408
+ --model ~/models/model.gguf \
409
+ --llama-server /path/to/llama-server \
410
+ --alias MyLocalCoder \
411
+ --port 11439
412
+ ```
413
+
414
+ Benchmark a GGUF:
415
+
416
+ ```bash
417
+ wydcode eval humaneval \
418
+ --model ~/models/model.gguf \
419
+ --llama-cli /path/to/llama-cli \
420
+ --tasks /path/to/humaneval.jsonl \
421
+ --mode socra
422
+ ```
423
+
424
+ Scan a repo for repeatable candidates:
425
+
426
+ ```bash
427
+ wydcode scan ./my-repo --out .socra/candidates.json
428
+ ```
429
+
430
+ Show status:
431
+
432
+ ```bash
433
+ wydcode status --project ./my-repo
434
+ ```
package/SECURITY.md ADDED
@@ -0,0 +1,64 @@
1
+ # Security
2
+
3
+ `wydcode` is a local workspace tool, not a security sandbox.
4
+
5
+ The internal engine and historical receipts may still use the Socra Harness
6
+ name. The public command and npm package are `wydcode`; `.socra/` remains the
7
+ state directory.
8
+
9
+ ## What `wydcode` Does Protect
10
+
11
+ - Source changes are staged under `.socra/` before promotion.
12
+ - `review` presents a dry-run diff and records artifact hashes.
13
+ - `approve` is a separate command and is bound to the presented diff hash.
14
+ - `promote` is the only product command that writes the real source tree.
15
+ - Generated config disables hosted fallback by default.
16
+ - Validated-fix traces stay local under `~/.wydcode/traces` and contain hashes
17
+ and metadata, not source or patch content.
18
+
19
+ ## What `wydcode` Does Not Protect
20
+
21
+ - It does not make an untrusted model safe.
22
+ - It does not hide prompted source files from the configured model endpoint.
23
+ - It does not prevent a malicious local endpoint from logging prompts.
24
+ - It does not sandbox arbitrary dependency install scripts.
25
+ - It does not replace git, backups, code review, or CI.
26
+
27
+ ## Safe Use
28
+
29
+ - Run `wydcode` only in git repositories.
30
+ - Start with small, module-scoped fixes.
31
+ - Use `--declared-file` when you know the file.
32
+ - Read the diff before approving it.
33
+ - Do not run `wydcode` on repositories containing secrets you would not send to the
34
+ configured local endpoint.
35
+ - Prefer disposable VMs or containers for unfamiliar repositories.
36
+
37
+ ## Network And Installs
38
+
39
+ Product `fix` uses the endpoint recorded in `.socra/config.json`.
40
+
41
+ The cross-project trace ledger and its MumpixDB index are local files. No trace
42
+ upload or hosted fallback occurs. Set `WYDCODE_TRACE_HOME` to move the store to
43
+ another local volume.
44
+
45
+ The hash-chained JSONL ledger is authoritative; the MumpixDB index is derived.
46
+ Treat a nonzero `wydcode traces status` pending count as an evidence-integrity
47
+ failure and run `wydcode traces sync --project .` before relying on retrieval.
48
+ The CLI surfaces index failures without rolling back an already-applied,
49
+ hash-receipted promotion.
50
+
51
+ Interactive sandbox commands are separate from product promotion. If you enable
52
+ network or install access for interactive agents, keep it inside disposable
53
+ sandbox workspaces and review outputs before copying anything into source.
54
+
55
+ ## Reporting
56
+
57
+ Do not open a public issue for a suspected vulnerability or leaked credential.
58
+ Use GitHub's private vulnerability-reporting form for this repository:
59
+
60
+ https://github.com/mumpix/wydcode/security/advisories/new
61
+
62
+ Include the affected version, reproduction steps, impact, and any suggested
63
+ mitigation. If the report includes a credential, provide only enough of the
64
+ value to identify it; never paste a complete live secret.
@@ -0,0 +1,36 @@
1
+ # Socra Source Provenance
2
+
3
+ This npm package is the `wydcode` public distribution of the Socra Harness
4
+ engine. The public command and npm package are `wydcode`; the Python module and
5
+ some historical receipts still use the `socra_harness` / Socra Harness engine
6
+ name.
7
+
8
+ Canonical source repository:
9
+
10
+ ```text
11
+ https://github.com/mumpix/wydcode
12
+ ```
13
+
14
+ The source tree location is the repository root. Provenance identity is the
15
+ commit below; it never includes a builder-specific absolute path.
16
+
17
+ Canonical source reference used for `wydcode@0.4.3`:
18
+
19
+ ```text
20
+ bd6e4f2a51f24f8ffaf30c5976f82d7fae5040f9
21
+ ```
22
+
23
+ Source status:
24
+
25
+ ```text
26
+ clean
27
+ ```
28
+
29
+ Policy:
30
+
31
+ - Changes land in the canonical source tree first.
32
+ - `wydcode` is the public npm install identity.
33
+ - Changes should land in the canonical tree first, then this package should be
34
+ regenerated from a pinned commit with `scripts/build_wydcode_package.sh`.
35
+ - Rehearsals for stranger-facing docs must use the public command name
36
+ `wydcode`, not only the internal `socra-harness` alias.
package/TRADEMARKS.md ADDED
@@ -0,0 +1,12 @@
1
+ # Trademarks
2
+
3
+ `wydcode`, Socra Harness, Socra, MumpixDB, their logos, and associated product
4
+ branding are marks of MumpixDB.
5
+
6
+ The software license does not grant permission to use these marks to identify,
7
+ promote, or imply endorsement of a modified product or commercial service.
8
+ Accurate, nominative references to the unmodified project are permitted.
9
+
10
+ Forks must use distinct names and branding unless MumpixDB grants written
11
+ permission. Nothing in this policy limits rights that cannot be restricted by
12
+ applicable law.