|
| 1 | +# Codifide v4.0 — G0 Problem Statement |
| 2 | + |
| 3 | +**Date:** 2026-05-14 |
| 4 | +**Author:** Douglas Jones + Claude (Aegis/Harper) |
| 5 | +**Status:** G0 — approved, proceeding to G1 |
| 6 | + |
| 7 | +--- |
| 8 | + |
| 9 | +## Why v4.0? |
| 10 | + |
| 11 | +The gap analysis from the "is this usable in the wild?" question identified |
| 12 | +four structural gaps between Codifide as a research prototype and Codifide |
| 13 | +as a usable tool. Each gap is a concrete, fixable problem. None requires |
| 14 | +rethinking the language design. |
| 15 | + |
| 16 | +--- |
| 17 | + |
| 18 | +## Problem 1 — `sig` declarations are decorative, not enforced |
| 19 | + |
| 20 | +**What breaks without this:** An agent can declare `sig (n: Int) -> String` |
| 21 | +and pass a `Float` or a `List`. The runtime either silently coerces, fails |
| 22 | +at the primitive level with a confusing error, or produces wrong output. |
| 23 | +The type system is a lie. Agents that trust it will be misled. |
| 24 | + |
| 25 | +**Evidence:** Every case study agent wrote `sig` declarations. None of them |
| 26 | +were checked. The language claims to be designed for agents who need |
| 27 | +trustworthy contracts — but the most basic contract (type) is not enforced. |
| 28 | + |
| 29 | +**Scope:** Runtime type checking at call boundaries. Not full static type |
| 30 | +inference. Check argument types against `sig` declarations when types are |
| 31 | +known. Raise a typed `TypeViolation` error on mismatch. |
| 32 | + |
| 33 | +**Risk:** Medium. Touches the interpreter call path. Existing programs that |
| 34 | +accidentally pass wrong types will now fail loudly instead of silently. |
| 35 | +That is the correct behavior. |
| 36 | + |
| 37 | +--- |
| 38 | + |
| 39 | +## Problem 2 — No standard library |
| 40 | + |
| 41 | +**What breaks without this:** Agents cannot write programs that read files, |
| 42 | +make HTTP requests, parse JSON, or do date arithmetic. Every real-world |
| 43 | +agent pipeline needs at least one of these. The current primitive set covers |
| 44 | +string manipulation and arithmetic but nothing that touches the outside world |
| 45 | +beyond `io.say` and `clock.now`. |
| 46 | + |
| 47 | +**Evidence:** The "usable in the wild" assessment identified this as a |
| 48 | +hard blocker for real-world use. The content-moderation pipeline task spec |
| 49 | +(the canonical test) uses only string primitives — it was designed to avoid |
| 50 | +this gap, not to demonstrate the language is complete. |
| 51 | + |
| 52 | +**Scope:** Four new effect groups: |
| 53 | +- `io.read` — read a file by path, return string |
| 54 | +- `http.get` / `http.post` — HTTP client primitives |
| 55 | +- `json.parse` / `json.encode` — JSON round-trip |
| 56 | +- `clock.date` — structured date arithmetic beyond `clock.now.hm` |
| 57 | + |
| 58 | +**Risk:** Medium. New effect declarations, new primitives, new error kinds. |
| 59 | +Does not touch existing primitives or the canonical form for existing programs. |
| 60 | + |
| 61 | +--- |
| 62 | + |
| 63 | +## Problem 3 — No operated public registry |
| 64 | + |
| 65 | +**What breaks without this:** V3-2 shipped remote symbol resolution |
| 66 | +infrastructure, but the registry at `codifide.com/symbols/<hash>` is empty. |
| 67 | +Two agents cannot exchange symbols without out-of-band coordination because |
| 68 | +there is nowhere to publish to. The multi-agent protocol story is |
| 69 | +infrastructure without content. |
| 70 | + |
| 71 | +**Evidence:** V3-2 acceptance criterion was "agent on machine B resolves a |
| 72 | +symbol published by agent on machine A." That works mechanically but requires |
| 73 | +both agents to be running their own servers. A public registry with real |
| 74 | +symbols in it is the missing piece. |
| 75 | + |
| 76 | +**Scope:** Operate the public registry endpoint. Seed it with the canonical |
| 77 | +pipeline task spec symbols (the five programs from the case studies). Document |
| 78 | +the publish workflow. Add `codifide store push --registry https://codifide.com` |
| 79 | +as the canonical publish path. |
| 80 | + |
| 81 | +**Risk:** Low for the code (already exists). Medium for operations (requires |
| 82 | +a running server, storage, and uptime commitment). |
| 83 | + |
| 84 | +--- |
| 85 | + |
| 86 | +## Problem 4 — Server is 127.0.0.1 only |
| 87 | + |
| 88 | +**What breaks without this:** The RPC server cannot be used for multi-machine |
| 89 | +agent coordination without a reverse proxy, TLS, and auth — none of which are |
| 90 | +documented or provided. The V3-2 remote registry works around this by using |
| 91 | +the public endpoint, but any team wanting to run a private registry is on |
| 92 | +their own. |
| 93 | + |
| 94 | +**Evidence:** The Sable audit of V2-1 flagged AUD-RPC-02 (no socket timeout, |
| 95 | +slow-loris risk) as P2. The server was explicitly documented as "local-only, |
| 96 | +trusted caller." That is the right call for v2.0 but not for v4.0 where |
| 97 | +multi-machine use is the goal. |
| 98 | + |
| 99 | +**Scope:** Add an `--auth-token` flag for bearer token authentication. Add |
| 100 | +TLS support via `--cert` / `--key` flags (or document the reverse proxy |
| 101 | +pattern). Remove the "not safe to expose over a network" warning when auth |
| 102 | +is configured. Update `docs/RPC_API.md`. |
| 103 | + |
| 104 | +**Risk:** Medium-high. Security-sensitive. Requires Sentinel review and |
| 105 | +Sable audit before shipping. |
| 106 | + |
| 107 | +--- |
| 108 | + |
| 109 | +## Prioritization |
| 110 | + |
| 111 | +| ID | Problem | Priority | Risk | Dependency | |
| 112 | +|----|---------|----------|------|------------| |
| 113 | +| V4-1 | Runtime type enforcement | P1 | Medium | None | |
| 114 | +| V4-2 | Standard library | P1 | Medium | None | |
| 115 | +| V4-3 | Public registry (operated) | P2 | Low/Medium | V3-2 (shipped) | |
| 116 | +| V4-4 | Network-safe server | P3 | Medium-High | V4-3 | |
| 117 | + |
| 118 | +V4-1 and V4-2 are independent and can be implemented in parallel. |
| 119 | +V4-3 is mostly operational, not code. V4-4 depends on V4-3 being |
| 120 | +useful first. |
| 121 | + |
| 122 | +--- |
| 123 | + |
| 124 | +## What is explicitly out of scope for v4.0 |
| 125 | + |
| 126 | +- **Full static type inference** — V4-1 is runtime checking only. Static |
| 127 | + inference requires a type system design that is not yet specified. |
| 128 | +- **Hosted runtime / cloud execution** — no adoption evidence. |
| 129 | +- **Time-indexed types (V3-4)** — still deferred, still no evidence. |
| 130 | +- **Editor integration** — still deferred. |
| 131 | +- **Structural diff and merge** — still deferred. |
| 132 | + |
| 133 | +--- |
| 134 | + |
| 135 | +## G0 decision |
| 136 | + |
| 137 | +**Approved.** All four problems are real, bounded, and worth solving. |
| 138 | +Evidence is direct (case study findings, Sable audit findings, gap analysis). |
| 139 | +Scope is honest. Proceeding to G1. |
| 140 | + |
| 141 | +*Aegis sign-off: approved 2026-05-14* |
0 commit comments