certfix 0.2.0__tar.gz → 0.3.0__tar.gz

{certfix-0.2.0 → certfix-0.3.0}/.certfix.yaml.example

@@ -1,69 +1,69 @@
-# certfix configuration example
-#
-# Recommended setup:
-#
-#   certfix config qwen36-mtp-local --output .certfix.yaml
-#
-# This checked-in example mirrors the v0.1.0 local Qwen3.6 MTP profile. Start an
-# MTP-capable llama.cpp server before running `certfix check` or `certfix fix`.
-# The server must support `--spec-type draft-mtp`.
-
-detection:
-  backend: local_llama_server
-  prompt_profile: qwen36_certfix_check_v1
-  batch_size: 1
-  qwen36_rule_id_strategy: sequential_top2_p3
-  qwen36_selector_candidate_k: 2
-  qwen36_selector_permutations: 3
-  api:
-    base_url: http://127.0.0.1:8952/v1
-    model: unsloth/Qwen3.6-27B-MTP-GGUF:UD-Q4_K_XL
-    api_key_env: ""
-    timeout: 300
-    max_tokens: 1024
-    temperature: 0.0
-
-models:
-  qwen36_local:
-    backend: local_llama_server
-    profile: qwen36_27b_local
-    max_tokens: 4096
-    temperature: 0.0
-    api:
-      base_url: http://127.0.0.1:8952/v1
-      model: unsloth/Qwen3.6-27B-MTP-GGUF:UD-Q4_K_XL
-      api_key_env: ""
-      timeout: 300
-      max_tokens: 4096
-      temperature: 0.0
-
-validation:
-  compile:
-    enabled: true
-    command: gcc
-    args: ["-fsyntax-only"]
-    include_paths: []
-    timeout: 30
-  violation_removal:
-    enabled: true
-    detector_role: qwen36_local
-    method: non_target_advisory
-    max_tokens: 512
-    override_denylist: ["SIG34-C", "STR31-C"]
-  semantic:
-    enabled: true
-    reviewer_role: qwen36_local
-    block_on_uncertain: true
-
-fix:
-  simple_repairer_role: qwen36_local
-  simple_repair_profile: qwen36_27b_complete_repair_rule_guided_v1
-  simple_max_tokens: 4096
-  validate_guided_retry: true
-  retry_max_attempts: 1
-  retry_max_tokens: 4096
-  retry_rule_addenda_v1: true
-  retry_rule_addenda_rule_ids: ["ARR37-C", "CON31-C", "POS48-C", "SIG30-C", "ENV33-C"]
-
-check:
-  exclude: []
+# certfix configuration example
+#
+# Recommended setup:
+#
+#   certfix config qwen36-mtp-local --output .certfix.yaml
+#
+# This checked-in example mirrors the v0.1.0 local Qwen3.6 MTP profile. Start an
+# MTP-capable llama.cpp server before running `certfix check` or `certfix fix`.
+# The server must support `--spec-type draft-mtp`.
+
+detection:
+  backend: local_llama_server
+  prompt_profile: qwen36_certfix_check_v1
+  batch_size: 1
+  qwen36_rule_id_strategy: sequential_top2_p3
+  qwen36_selector_candidate_k: 2
+  qwen36_selector_permutations: 3
+  api:
+    base_url: http://127.0.0.1:8952/v1
+    model: unsloth/Qwen3.6-27B-MTP-GGUF:UD-Q4_K_XL
+    api_key_env: ""
+    timeout: 300
+    max_tokens: 1024
+    temperature: 0.0
+
+models:
+  qwen36_local:
+    backend: local_llama_server
+    profile: qwen36_27b_local
+    max_tokens: 4096
+    temperature: 0.0
+    api:
+      base_url: http://127.0.0.1:8952/v1
+      model: unsloth/Qwen3.6-27B-MTP-GGUF:UD-Q4_K_XL
+      api_key_env: ""
+      timeout: 300
+      max_tokens: 4096
+      temperature: 0.0
+
+validation:
+  compile:
+    enabled: true
+    command: gcc
+    args: ["-fsyntax-only"]
+    include_paths: []
+    timeout: 30
+  violation_removal:
+    enabled: true
+    detector_role: qwen36_local
+    method: non_target_advisory
+    max_tokens: 512
+    override_denylist: ["SIG34-C", "STR31-C"]
+  semantic:
+    enabled: true
+    reviewer_role: qwen36_local
+    block_on_uncertain: true
+
+fix:
+  simple_repairer_role: qwen36_local
+  simple_repair_profile: qwen36_27b_complete_repair_rule_guided_v1
+  simple_max_tokens: 4096
+  validate_guided_retry: true
+  retry_max_attempts: 1
+  retry_max_tokens: 4096
+  retry_rule_addenda_v1: true
+  retry_rule_addenda_rule_ids: ["ARR37-C", "CON31-C", "POS48-C", "SIG30-C", "ENV33-C"]
+
+check:
+  exclude: []

certfix-0.3.0/.gitattributes

@@ -0,0 +1,6 @@
+* text=auto
+
+*.sh text eol=lf
+Dockerfile text eol=lf
+*.yml text eol=lf
+*.yaml text eol=lf

{certfix-0.2.0 → certfix-0.3.0}/.github/workflows/ci.yml

@@ -58,6 +58,7 @@ jobs:
           /tmp/certfix-wheel-smoke/bin/python -m pip install --upgrade pip
           /tmp/certfix-wheel-smoke/bin/python -m pip install dist/*.whl
           /tmp/certfix-wheel-smoke/bin/certfix --help
+          /tmp/certfix-wheel-smoke/bin/certfix-docker --help
           /tmp/certfix-wheel-smoke/bin/certfix config --list
           /tmp/certfix-wheel-smoke/bin/certfix config qwen36-mtp-local --output /tmp/certfix-smoke.yaml
           test -s /tmp/certfix-smoke.yaml
@@ -67,4 +68,5 @@ jobs:
         run: |
           docker build -t certfix-ci .
           docker run --rm certfix-ci --help
+          docker run --rm certfix-ci certfix-docker --help
           docker run --rm certfix-ci config --list

{certfix-0.2.0 → certfix-0.3.0}/.github/workflows/docker.yml

@@ -67,11 +67,12 @@ jobs:
           tags: ${{ steps.image.outputs.tags }}
           labels: |
             org.opencontainers.image.source=https://github.com/${{ github.repository }}
-            org.opencontainers.image.description=certfix API-only CLI image
+            org.opencontainers.image.description=certfix CLI image for API, local, and hybrid routes
             org.opencontainers.image.licenses=MIT
 
       - name: Smoke test published image
         run: |
           first_tag="$(printf '%s\n' "${{ steps.image.outputs.tags }}" | head -n 1)"
           docker run --rm "${first_tag}" --help
+          docker run --rm "${first_tag}" certfix-docker --help
           docker run --rm "${first_tag}" config --list

{certfix-0.2.0 → certfix-0.3.0}/.gitignore

@@ -1,82 +1,82 @@
-# Python
-__pycache__/
-*.py[cod]
-*$py.class
-*.so
-.Python
-build/
-develop-eggs/
-dist/
-downloads/
-eggs/
-.eggs/
-lib/
-lib64/
-parts/
-sdist/
-var/
-wheels/
-*.egg-info/
-.installed.cfg
-*.egg
-
-# Virtual environments
-.env
-.venv
-env/
-venv/
-ENV/
-
-# IDE
-.idea/
-.vscode/
-*.swp
-*.swo
-*~
-
-# Testing
-.tox/
-.nox/
-.coverage
-.coverage.*
-htmlcov/
-.pytest_cache/
-model-smoke-results/
-.mypy_cache/
-
-# certfix-generated reports, fixed-code candidates, and patches
-certfix-output/
-
-# Local model smoke configs
-configs/local-*.yaml
-configs/local-*.yml
-
-# Build
-*.manifest
-*.spec
-
-# Installer logs
-pip-log.txt
-pip-delete-this-directory.txt
-
-# Models (large files)
-*.gguf
-*.bin
-models/
-
-# MCP (local tool config)
-.mcp.json
-mcp-servers/
-
-# OS
-.DS_Store
-Thumbs.db
-
-# Local/private maintainer notes not included in the initial public repo
-docs/research-archive/
-CLAUDE.md
-README.ja.local.md
-
-# Locally generated maintainer evaluation datasets
-src/certfix/data/*samples.jsonl.gz
-eval-splits/
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# Virtual environments
+.env
+.venv
+env/
+venv/
+ENV/
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+
+# Testing
+.tox/
+.nox/
+.coverage
+.coverage.*
+htmlcov/
+.pytest_cache/
+model-smoke-results/
+.mypy_cache/
+
+# certfix-generated reports, fixed-code candidates, and patches
+certfix-output/
+
+# Local model smoke configs
+configs/local-*.yaml
+configs/local-*.yml
+
+# Build
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Models (large files)
+*.gguf
+*.bin
+models/
+
+# MCP (local tool config)
+.mcp.json
+mcp-servers/
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Local/private maintainer notes not included in the initial public repo
+docs/research-archive/
+CLAUDE.md
+README.ja.local.md
+
+# Locally generated maintainer evaluation datasets
+src/certfix/data/*samples.jsonl.gz
+eval-splits/

certfix-0.3.0/AGENTS.md

@@ -0,0 +1,111 @@
+# certfix Public Release Notes For Agents
+
+This repository is the release-side workspace for `certfix`, a CLI for detecting
+and repairing CERT-C issues in C source code.
+
+## Public Boundary
+
+- Treat this repository as publishable. Do not add local absolute paths,
+  private keys, model checkpoints, evaluation datasets, cloud run details, or
+  internal experiment logs.
+- The initial public repository intentionally excludes `docs/research-archive/`
+  and local scratchpad files such as `CLAUDE.md`.
+- Research provenance belongs in internal project records or a separately
+  sanitized archive, not in the primary public docs.
+- SFT artifacts and experiment-side datasets are not required for normal
+  v0.1.0 usage.
+
+## Release Path
+
+- The public v0.1.0 path is Qwen3.6-centered.
+- The main local config is `configs/qwen36-mtp-local.yaml`.
+- `certfix fix` uses the public Qwen3.6-centered repair path.
+- API profiles are optional and send source code to the configured provider.
+
+## Release Traceability
+
+- Public release tags such as `v0.1.0` belong to the public repository
+  `safe-c-ai/certfix`.
+- The development repository must use a separate source tag for each public
+  release, named `public/vX.Y.Z-source`.
+- Record the public tag/SHA and development source tag/SHA mapping in
+  `docs/research-archive/RELEASE_TRACEABILITY.md`.
+- Do not keep ambiguous `vX.Y.Z` release tags in `certfix-dev`.
+- Before deciding whether current work belongs to an already-published release
+  or the next release, verify the live release state instead of relying on
+  memory or conversation context.
+- Last live release check before the current next-release work on 2026-06-02:
+  - `safe-c-ai/certfix` latest GitHub Release: `v0.2.0`.
+  - `safe-c-ai/certfix-dev` latest public source tag: `public/v0.2.0-source`.
+  Treat later local changes as next-release work unless the user explicitly
+  says they are patching an already-published release.
+- Use these checks before editing release notes, version docs, tags, or release
+  instructions:
+
+```bash
+python3 - <<'PY'
+import json
+import urllib.request
+
+repo = "safe-c-ai/certfix"
+url = f"https://api.github.com/repos/{repo}/releases/latest"
+with urllib.request.urlopen(url, timeout=15) as response:
+    release = json.load(response)
+print(f"{repo} latest GitHub Release: {release['tag_name']}")
+PY
+
+git ls-remote --tags dev 'refs/tags/public/v*' 'refs/tags/v*' | sort -V
+```
+
+- `safe-c-ai/certfix-dev` may not expose GitHub Releases through the public API.
+  In that case, use the `public/vX.Y.Z-source` remote tags as the dev-side
+  release traceability state.
+- Do not rewrite release notes for an already-published public version to
+  describe new unreleased work. Add a new top-level section for the next release
+  instead.
+- Release order is review-gated. For substantial README, docs, Docker,
+  packaging, release-note, or public-boundary changes, do not treat the work as
+  ready to publish until the user has reviewed the changed files or a sanitized
+  review archive and explicitly approved proceeding.
+- The normal order for substantial public-facing changes is:
+  1. Implement changes in `certfix-dev`.
+  2. Run local consistency checks that do not publish anything.
+  3. Create a sanitized review archive, excluding local scratchpads, private
+     research archives, evaluation splits, generated sample datasets, secrets,
+     and local-only files.
+  4. Wait for user review and approval.
+  5. Only after approval, prepare release notes, public sync, tags, GitHub
+     Release, PyPI, or GHCR publishing steps.
+- If the user asks "what next?" after implementation but before review, the next
+  step is review preparation and review, not publication or release finalization.
+
+## Git And GitHub Guidance
+
+- When giving the user Git or GitHub operation commands, explain what each
+  command does, which repository/branch/tag it affects, and whether it is
+  destructive or hard to undo.
+- For push, tag, release, visibility, deletion, force, reset, rebase, merge,
+  checkout/restore, clean, or branch deletion operations, include the expected
+  pre-check and post-check commands.
+- Prefer explicit repository paths in instructions when both `certfix-dev` and
+  `certfix-public` are involved.
+
+## Documentation Wording
+
+- Prefer cautious claims: validation gates reduce risk; they do not guarantee
+  behavior equivalence or security correctness.
+- Benchmark claims should point to `docs/BENCHMARK_SUMMARY.md` and keep its
+  caveats intact.
+- Do not present historical model names, old benchmark values, or archived
+  decisions as current release defaults.
+
+## Development Commands
+
+```bash
+pip install -e ".[dev]"
+pytest
+ruff check src/ tests/ scripts/
+ruff format src/ tests/ scripts/
+python3 -m build --sdist --wheel
+python3 scripts/check_release_readiness.py
+```

{certfix-0.2.0 → certfix-0.3.0}/Dockerfile

@@ -14,11 +14,13 @@ WORKDIR /opt/certfix
 
 COPY pyproject.toml README.md LICENSE THIRD_PARTY_NOTICES.md ./
 COPY src ./src
+COPY docker/certfix-entrypoint.sh /usr/local/bin/certfix-entrypoint
 
 RUN python -m pip install --no-cache-dir --upgrade pip \
-    && python -m pip install --no-cache-dir .
+    && python -m pip install --no-cache-dir . \
+    && chmod +x /usr/local/bin/certfix-entrypoint
 
 WORKDIR /workspace
 
-ENTRYPOINT ["certfix"]
+ENTRYPOINT ["certfix-entrypoint"]
 CMD ["--help"]

{certfix-0.2.0 → certfix-0.3.0}/LICENSE

@@ -1,21 +1,21 @@
-MIT License
-
-Copyright (c) 2026 certfix team
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+MIT License
+
+Copyright (c) 2026 certfix team
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.