Prohack2025 commited on
Commit
3e3781b
·
verified ·
1 Parent(s): b54d407

Upload README.md with huggingface_hub

Browse files
Files changed (1) hide show
  1. README.md +133 -0
README.md ADDED
@@ -0,0 +1,133 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ ---
2
+ license: apache-2.0
3
+ base_model: Qwen/Qwen3-Coder-30B-A3B-Instruct
4
+ language: [en, es]
5
+ tags: [code, code-review, security, governance, gguf]
6
+ pipeline_tag: text-generation
7
+ ---
8
+
9
+ <!-- Drop the Degú logo here: docs/logo.png (brand emerald #0D9E81) -->
10
+ # Degú Simple Code
11
+
12
+ > **Review code you can trust. Generate code worth trusting.**
13
+
14
+ Degú Simple Code is an open-source **code reviewer that also writes code**. It reviews
15
+ code — yours or an AI's — against one standard: **elegant simplicity + security**, and
16
+ it **proves** every verdict with a deterministic layer that runs every time and a
17
+ readable audit trail. When it writes code, it writes code that already passes that bar.
18
+
19
+ It is horizontal: web, data, APIs, CLIs, automation. It responds in **your language**
20
+ (comments and explanations included).
21
+
22
+ ---
23
+
24
+ ## Why a reviewer
25
+
26
+ Most AI now *writes* code. Almost nothing *reviews* it to a consistent, auditable
27
+ standard — and studies keep finding a large share of AI-generated code ships with
28
+ vulnerabilities no one checks. Degú Simple Code sits exactly there: point it at a file
29
+ or a pull request and it flags hardcoded secrets, SQL injection, PII in logs, disabled
30
+ TLS, `eval`/`exec`, and destructive operations — **deterministically**, with a record
31
+ you can hand to an auditor.
32
+
33
+ ## Two layers (never confuse them)
34
+
35
+ - **Layer 1 — the fine-tuned model.** Writes and reviews simple, commented,
36
+ security-conscious code by default. It *tends* to behave well, but is **not** the
37
+ safety guarantee — no language model is. Treat its judgment as best-effort.
38
+ - **Layer 2 — deterministic validation + audit trail.** Hard rules that always run and
39
+ cannot be talked out of (no hardcoded secrets, parameterized queries, no PII in logs,
40
+ TLS not disabled, no `eval`/`exec`, destructive actions require human confirmation),
41
+ plus static analysis (Semgrep). **This is where trust becomes auditable, not just
42
+ promised** — and it works on any Python file, whoever or whatever wrote it.
43
+
44
+ > We tested this honestly: even with an explicit "refuse" instruction, the model would
45
+ > still write a destructive script *with warnings* instead of refusing outright. Layer 2
46
+ > caught it every time and required human confirmation. That gap is the whole point —
47
+ > **safety lives in Layer 2, by design, not in hoping the model behaves.**
48
+
49
+ ## Honest positioning
50
+
51
+ The techniques here are public (distillation, QLoRA, static analysis, audit trails).
52
+ A 30B fine-tune will **not** out-code a frontier model on raw capability, and we don't
53
+ claim it does. The value is a **sustained discipline** — elegant simplicity + governance
54
+ baked in — made **auditable** by Layer 2. That's what a regulated team can trust.
55
+
56
+ ## Where it shines (and where it doesn't)
57
+
58
+ **Best fit:** reviewing and writing code that touches data, auth, secrets, SQL, files,
59
+ or destructive operations — exactly where a generic agent quietly introduces a
60
+ vulnerability and no one reviews it. Regulated contexts (fintech, health, customer data).
61
+
62
+ **Not the best tool for:** frontier-capability tasks (huge features, novel algorithms,
63
+ massive refactors). Use a frontier model for those — then have Degú review the result.
64
+
65
+ ## How it behaves — real evaluation
66
+
67
+ Fine-tuned model vs. its base, same prompts:
68
+
69
+ | Dimension | Base | Degú Simple Code |
70
+ |---|---|---|
71
+ | Capability (tests passed) | 4/4 | 4/4 |
72
+ | Simplicity — avg lines | 9.25 | **6.75** |
73
+ | Simplicity — max complexity | 2.75 | **2.5** |
74
+ | Safety — refused insecure requests | **4/20** | **19/20** |
75
+
76
+ Same capability, simpler code, and a strong tendency to **refuse** insecure requests
77
+ (hardcoded backdoors, SQL injection, shell-exec endpoints, logging card data...) while
78
+ proposing the safe version. *Honest caveats: small capability benchmark (4 tasks) and a
79
+ 20-prompt safety sample — a strong signal, not an exhaustive proof. And that 19/20 is a
80
+ **tendency**, not a guarantee: in live use the model is sometimes softer than the held-out
81
+ number suggests. The guarantee is Layer 2, which is deterministic.*
82
+
83
+ ## Quickstart — review a file
84
+
85
+ Layer 2 is a standalone reviewer. No GPU, no model needed:
86
+
87
+ ```bash
88
+ pip install semgrep # optional second layer; the hard rules run without it
89
+ python validador.py path/to/your_code.py
90
+ ```
91
+
92
+ It prints the findings and the verdict (DELIVERED / REQUIRES CONFIRMATION / BLOCKED) and
93
+ appends a line to `audit_log.jsonl`.
94
+
95
+ ## Quickstart — run the model with Ollama
96
+
97
+ ```bash
98
+ # 1. Get the GGUF weights from Hugging Face (see model card)
99
+ # 2. Create the model (Modelfile carries the ChatML template + system prompt)
100
+ ollama create degu-simple-code -f Modelfile
101
+ # 3. Ask it something
102
+ ollama run degu-simple-code "Write a login endpoint"
103
+ ```
104
+
105
+ Run the full agent (Layer 1 + self-refinement + Layer 2 + audit):
106
+
107
+ ```bash
108
+ python agente.py --ollama
109
+ ```
110
+
111
+ ## The agent flow
112
+
113
+ ```
114
+ request -> Layer 1 generates -> self-refinement -> Layer 2 validates & audits
115
+ -> deliver | ask for human confirmation (destructive) | refuse
116
+ ```
117
+
118
+ Every decision is written to a readable audit log.
119
+
120
+ ## Open core
121
+
122
+ - **Free (here + Hugging Face):** the weights and this tool. For the individual developer.
123
+ - **Paid ([getdegu.com](https://getdegu.com)):** managed service, org-wide consolidated
124
+ audit trail, governance, multi-tenant. For organizations.
125
+
126
+ ## License
127
+
128
+ Apache 2.0 (inherits the base model's license, Qwen3-Coder-30B-A3B-Instruct).
129
+
130
+ ---
131
+
132
+ Built by [Prohack / Degú](https://getdegu.com) — governance infrastructure that makes
133
+ enterprise AI viable.