Upload README.md with huggingface_hub
Browse files
README.md
ADDED
|
@@ -0,0 +1,133 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
---
|
| 2 |
+
license: apache-2.0
|
| 3 |
+
base_model: Qwen/Qwen3-Coder-30B-A3B-Instruct
|
| 4 |
+
language: [en, es]
|
| 5 |
+
tags: [code, code-review, security, governance, gguf]
|
| 6 |
+
pipeline_tag: text-generation
|
| 7 |
+
---
|
| 8 |
+
|
| 9 |
+
<!-- Drop the Degú logo here: docs/logo.png (brand emerald #0D9E81) -->
|
| 10 |
+
# Degú Simple Code
|
| 11 |
+
|
| 12 |
+
> **Review code you can trust. Generate code worth trusting.**
|
| 13 |
+
|
| 14 |
+
Degú Simple Code is an open-source **code reviewer that also writes code**. It reviews
|
| 15 |
+
code — yours or an AI's — against one standard: **elegant simplicity + security**, and
|
| 16 |
+
it **proves** every verdict with a deterministic layer that runs every time and a
|
| 17 |
+
readable audit trail. When it writes code, it writes code that already passes that bar.
|
| 18 |
+
|
| 19 |
+
It is horizontal: web, data, APIs, CLIs, automation. It responds in **your language**
|
| 20 |
+
(comments and explanations included).
|
| 21 |
+
|
| 22 |
+
---
|
| 23 |
+
|
| 24 |
+
## Why a reviewer
|
| 25 |
+
|
| 26 |
+
Most AI now *writes* code. Almost nothing *reviews* it to a consistent, auditable
|
| 27 |
+
standard — and studies keep finding a large share of AI-generated code ships with
|
| 28 |
+
vulnerabilities no one checks. Degú Simple Code sits exactly there: point it at a file
|
| 29 |
+
or a pull request and it flags hardcoded secrets, SQL injection, PII in logs, disabled
|
| 30 |
+
TLS, `eval`/`exec`, and destructive operations — **deterministically**, with a record
|
| 31 |
+
you can hand to an auditor.
|
| 32 |
+
|
| 33 |
+
## Two layers (never confuse them)
|
| 34 |
+
|
| 35 |
+
- **Layer 1 — the fine-tuned model.** Writes and reviews simple, commented,
|
| 36 |
+
security-conscious code by default. It *tends* to behave well, but is **not** the
|
| 37 |
+
safety guarantee — no language model is. Treat its judgment as best-effort.
|
| 38 |
+
- **Layer 2 — deterministic validation + audit trail.** Hard rules that always run and
|
| 39 |
+
cannot be talked out of (no hardcoded secrets, parameterized queries, no PII in logs,
|
| 40 |
+
TLS not disabled, no `eval`/`exec`, destructive actions require human confirmation),
|
| 41 |
+
plus static analysis (Semgrep). **This is where trust becomes auditable, not just
|
| 42 |
+
promised** — and it works on any Python file, whoever or whatever wrote it.
|
| 43 |
+
|
| 44 |
+
> We tested this honestly: even with an explicit "refuse" instruction, the model would
|
| 45 |
+
> still write a destructive script *with warnings* instead of refusing outright. Layer 2
|
| 46 |
+
> caught it every time and required human confirmation. That gap is the whole point —
|
| 47 |
+
> **safety lives in Layer 2, by design, not in hoping the model behaves.**
|
| 48 |
+
|
| 49 |
+
## Honest positioning
|
| 50 |
+
|
| 51 |
+
The techniques here are public (distillation, QLoRA, static analysis, audit trails).
|
| 52 |
+
A 30B fine-tune will **not** out-code a frontier model on raw capability, and we don't
|
| 53 |
+
claim it does. The value is a **sustained discipline** — elegant simplicity + governance
|
| 54 |
+
baked in — made **auditable** by Layer 2. That's what a regulated team can trust.
|
| 55 |
+
|
| 56 |
+
## Where it shines (and where it doesn't)
|
| 57 |
+
|
| 58 |
+
**Best fit:** reviewing and writing code that touches data, auth, secrets, SQL, files,
|
| 59 |
+
or destructive operations — exactly where a generic agent quietly introduces a
|
| 60 |
+
vulnerability and no one reviews it. Regulated contexts (fintech, health, customer data).
|
| 61 |
+
|
| 62 |
+
**Not the best tool for:** frontier-capability tasks (huge features, novel algorithms,
|
| 63 |
+
massive refactors). Use a frontier model for those — then have Degú review the result.
|
| 64 |
+
|
| 65 |
+
## How it behaves — real evaluation
|
| 66 |
+
|
| 67 |
+
Fine-tuned model vs. its base, same prompts:
|
| 68 |
+
|
| 69 |
+
| Dimension | Base | Degú Simple Code |
|
| 70 |
+
|---|---|---|
|
| 71 |
+
| Capability (tests passed) | 4/4 | 4/4 |
|
| 72 |
+
| Simplicity — avg lines | 9.25 | **6.75** |
|
| 73 |
+
| Simplicity — max complexity | 2.75 | **2.5** |
|
| 74 |
+
| Safety — refused insecure requests | **4/20** | **19/20** |
|
| 75 |
+
|
| 76 |
+
Same capability, simpler code, and a strong tendency to **refuse** insecure requests
|
| 77 |
+
(hardcoded backdoors, SQL injection, shell-exec endpoints, logging card data...) while
|
| 78 |
+
proposing the safe version. *Honest caveats: small capability benchmark (4 tasks) and a
|
| 79 |
+
20-prompt safety sample — a strong signal, not an exhaustive proof. And that 19/20 is a
|
| 80 |
+
**tendency**, not a guarantee: in live use the model is sometimes softer than the held-out
|
| 81 |
+
number suggests. The guarantee is Layer 2, which is deterministic.*
|
| 82 |
+
|
| 83 |
+
## Quickstart — review a file
|
| 84 |
+
|
| 85 |
+
Layer 2 is a standalone reviewer. No GPU, no model needed:
|
| 86 |
+
|
| 87 |
+
```bash
|
| 88 |
+
pip install semgrep # optional second layer; the hard rules run without it
|
| 89 |
+
python validador.py path/to/your_code.py
|
| 90 |
+
```
|
| 91 |
+
|
| 92 |
+
It prints the findings and the verdict (DELIVERED / REQUIRES CONFIRMATION / BLOCKED) and
|
| 93 |
+
appends a line to `audit_log.jsonl`.
|
| 94 |
+
|
| 95 |
+
## Quickstart — run the model with Ollama
|
| 96 |
+
|
| 97 |
+
```bash
|
| 98 |
+
# 1. Get the GGUF weights from Hugging Face (see model card)
|
| 99 |
+
# 2. Create the model (Modelfile carries the ChatML template + system prompt)
|
| 100 |
+
ollama create degu-simple-code -f Modelfile
|
| 101 |
+
# 3. Ask it something
|
| 102 |
+
ollama run degu-simple-code "Write a login endpoint"
|
| 103 |
+
```
|
| 104 |
+
|
| 105 |
+
Run the full agent (Layer 1 + self-refinement + Layer 2 + audit):
|
| 106 |
+
|
| 107 |
+
```bash
|
| 108 |
+
python agente.py --ollama
|
| 109 |
+
```
|
| 110 |
+
|
| 111 |
+
## The agent flow
|
| 112 |
+
|
| 113 |
+
```
|
| 114 |
+
request -> Layer 1 generates -> self-refinement -> Layer 2 validates & audits
|
| 115 |
+
-> deliver | ask for human confirmation (destructive) | refuse
|
| 116 |
+
```
|
| 117 |
+
|
| 118 |
+
Every decision is written to a readable audit log.
|
| 119 |
+
|
| 120 |
+
## Open core
|
| 121 |
+
|
| 122 |
+
- **Free (here + Hugging Face):** the weights and this tool. For the individual developer.
|
| 123 |
+
- **Paid ([getdegu.com](https://getdegu.com)):** managed service, org-wide consolidated
|
| 124 |
+
audit trail, governance, multi-tenant. For organizations.
|
| 125 |
+
|
| 126 |
+
## License
|
| 127 |
+
|
| 128 |
+
Apache 2.0 (inherits the base model's license, Qwen3-Coder-30B-A3B-Instruct).
|
| 129 |
+
|
| 130 |
+
---
|
| 131 |
+
|
| 132 |
+
Built by [Prohack / Degú](https://getdegu.com) — governance infrastructure that makes
|
| 133 |
+
enterprise AI viable.
|