Codifide — Confidence in Code, for Agents

Active Projects

Four active projects at the intersection of AI, software, and real-world impact.

Open Source · v4.0

The Codifide Programming Language

A programming language that codifies what software usually leaves implicit — for a world where agents write the code.

Every mainstream language — from Fortran to Rust — was built around human cognitive constraints. Agents don't share those constraints. Codifide codifies what software usually leaves implicit: intent, effects, contracts, confidence, and refusal — and preserves those properties with byte-level fidelity across every agent that reads, writes, or composes the code. The name is the thesis.

Intent

Every function carries why it exists as structure — not a comment the compiler discards. A symbol's intent is part of its content-addressed identity.

Effects

Declared in the type and enforced transitively across the call graph. A pure function cannot call an impure one and launder the effect.

Contracts

Pre- and postconditions the runtime evaluates — not docstrings. Contracts run with an empty effect budget. They describe state; they do not modify it.

Confidence

believe label ge(conf(label), 0.85) — probability as a first-class dispatch mechanism. Every value can carry a confidence score.

Refusal

bottom is a value, not an exception. A function that does not know enough to answer says so. The runtime respects that.

Fidelity

Two agents naming the same content hash see the same bytes, the same contracts, the same intent. No drift. No version gaps. No trust gaps.

def classify
  intent "label an image, refuse rather than guess"
  sig    (img: Image) -> Label
  effects {model.vision}
  cand
    label <- vision.classify(img)
    believe label
      ge(conf(label), 0.85) => label
      ge(conf(label), 0.60) => escalate(img, label)
      else                  => bottom

450tests passing

2implementations

v4.0released May 2026

MITopen source

View on GitHub → Get started

AI Governance · Open Source

Agentic Stage-Gate Governance

A governance framework for software built by AI agents.

When your developer is an AI agent, who watches the gates? This open-source template adapts Robert Cooper's Stage-Gate® framework for a world where AI builds code faster than humans can review it. Copy the steering files into any project — governance, adversarial review, and quality gates activate automatically in Kiro.

7-gate process (G0–G6) from problem validation to post-launch learning
Three-model review: A-Team builder, B-Team critic, Zero-Context auditor
100% test coverage as a gate requirement, not a goal
Security and accessibility at every gate, not as a phase
AI builds. Humans decide. Evidence proves.

"Evidence, not confidence. 'We think it's fine' is not a gate pass."

View on GitHub →

Healthcare · AI · HIPAA

Codifide Health

AI-powered healthcare intelligence, built for compliance from the ground up.

A Tuva-aligned analytics platform designed to support 10M+ patients at scale, with AI clinical decision support, federated machine learning, and multi-region deployment. Built for HIPAA/SOC2 compliance from the ground up — not bolted on.

FHIR-native EHR integration with SMART on FHIR OAuth (Epic, Cerner, athenahealth, eClinicalWorks)
Fail-closed organization enforcement — no implicit tenant fallbacks
GPT-4 powered clinical assistant with audit trails
MIPS/HEDIS quality measures with real-time updates
Zero-trust security with ABAC policies, HIPAA/SOC2 ready

FHIR Kafka ClickHouse Keycloak Federated ML

Private project — interested in contributing? Get in touch.

iOS · Consumer · AI

Decode The Sign

Confusing parking signs, decoded instantly on your iPhone.

A native iOS app that turns the chaos of urban parking signs into a fast, plain-English answer. Point your camera, get a clear ruling. Built with a time-aware rule engine, semantic OCR, and conservative low-confidence gating — it never guesses. A companion web app serves Android and desktop users.

Native iOS app with Expo shell — camera capture, heading-aware nearby ranking
Time-aware parking rule engine with multi-sign merging
Semantic OCR-to-rule candidate scoring
Multi-city data sync — Chicago, NYC, San Francisco, Raleigh
Street cleaning schedules and EV charging station data
Conservative low-confidence gating — never guesses

Expo / iOS Next.js Supabase OpenAI OCR Vercel

Visit decodethesign.com →

Private project — interested in contributing? Get in touch.

v4.0 — May 2026

What v4.0 adds — the usability release

v4.0 closes the gap between research prototype and usable tool. Runtime type enforcement makes sig declarations trustworthy. A standard library covers file I/O, HTTP, JSON, and date arithmetic. 450 tests passing, 0 skipped.

Runtime type enforcement

sig declarations are now enforced at every call boundary. Passing a String where Int is declared raises TypeViolation. Any accepts all values. Number accepts both Int and Float.

# v4.0 — type mismatch caught at call boundary
def double
  intent "double an integer"
  sig    (n: Int) -> Int
  effects {}
  cand
    add(n, n)

# double("hello") → TypeViolation: parameter 'n' expects Int but got String

New TypeViolation error · 20 new tests · best-effort (untagged values pass)

File I/O and HTTP

io.read, io.write, io.exists for filesystem access. http.get, http.post for HTTPS requests. Path traversal defense built in. HTTPS-only enforcement.

def fetch_and_save
  intent "fetch a URL and save to disk"
  sig    (url: String, path: String) -> Unit
  effects {http.fetch, io.write}
  cand
    body <- http.get(url)
    io.write(path, body)

{io.read} · {io.write} · {http.fetch} · 30s timeout · 16 MiB limit

JSON and date arithmetic

json.parse and json.encode are pure — no effect declaration needed. clock.today, clock.parse, clock.add_days, clock.format for date work.

def days_until
  intent "days from today until a target date"
  sig    (target: String) -> Int
  effects {clock.read}
  cand
    today_ts <- clock.parse(clock.today())
    target_ts <- clock.parse(target)
    div(sub(target_ts, today_ts), 86400)

json.parse · json.encode · clock.today · clock.parse · clock.add_days · clock.format

V4-4 deferred — network-safe server

Bearer token auth and TLS for the RPC server were scoped for v4.0 but deferred. The public registry (V4-3) must demonstrate multi-machine use cases before the security investment in network exposure is justified. The server remains local-only for now.

Full changelog → Browse the registry → Agent quickref

v3.0 — May 2026

What v3.0 adds

Three requirements shipped. Refusal reasons make bottom diagnosable. Remote symbol resolution makes content-addressed composition work across machines. Parallel import support closes the last known gap in the parallel evaluator. 383 tests passing, 0 skipped.

Refusal reasons — `bottom "reason"`

bottom now accepts an optional string payload. The reason propagates through RefusalError for diagnostics. Bare bottom is unchanged — existing hashes are not invalidated.

# v3.0 — reason propagates through RefusalError
believe result
  ge(conf(result), 0.85) => result
  else                   => bottom "confidence below threshold"

AST · runtime · canonical form · Rust · 24 new tests

Remote symbol resolution

Push a symbol to a remote registry and resolve it from any machine. codifide serve --read-only enables public registry deployments.

python3 -m codifide store push sha256:1c01… \
  --registry https://registry.example.com

python3 -m codifide run pipeline.cod \
  --registry https://registry.example.com

RemoteStore · fetch-and-cache · hash-verified · --read-only flag

Parallel evaluator import support

Branch interpreters in the parallel evaluator previously ran with empty resolved_imports, making imported symbols unavailable inside parallel branches. Fixed — imported-symbol calls are now eligible for parallel evaluation.

# Imported symbols now work inside parallel branches
import classify_content = sha256:3770…

def main
  intent "classify in parallel"
  sig    () -> List
  effects {}
  cand
    list(
      classify_content("message one"),
      classify_content("message two")
    )

AUD-OVERNIGHT-02 closed · branch interpreters carry resolved imports

V3-4 deferred — no adoption evidence

Time-indexed types (T@timestamp) were on the v3.0 roadmap but deferred. No agent session produced evidence that the feature was needed. Adoption evidence outranks intuition — the feature stays on the roadmap until real usage justifies it.

Full changelog → Agent quickref

v2.0 — May 2026

What v2.0 adds, fixes, and enables

Every friction point that blocked agents from completing Program 5 — content-addressed composition — is now fixed. Four requirements, four weeks of adoption evidence, one governance review.

RPC API — Program 5 without the ceremony

Content-addressed composition previously required four CLI commands, an index ceremony, and a runtime flag. Now: start the server, POST canonical forms, import by the returned hashes. No index. No flag.

python3 -m codifide serve

# Publish a symbol
curl -X POST http://localhost:7777/symbols \
  -H 'Content-Type: application/cbor' \
  --data-binary @- < canonical.cbor

# Import by hash in your program
import classify_content = sha256:1c01b8b5…

POST /symbols · GET /symbols/{hash} · GET /symbols/{hash}/imports · idempotent writes · 36 tests · Sable-audited

Static bind-before-when detection

The most common footgun in Codifide — using a bound name in a when guard before the body runs — was a confusing runtime error. It is now a parse error with a one-line fix message.

# Before v2.0: runtime error "unknown callable: 'label'"
# After v2.0: parse error with fix hint
cand
  label <- moderate(message)
  when   eq(label, "unsafe")   # ← caught at parse time
  "blocked"

Python parser + Rust parser · 12 regression tests

from-import in the Rust runtime

from sha256:<hash> import name1, name2 previously required CODIFIDE_RUNTIME=python. That workaround is gone. Both runtimes support from-imports as of v2.0.

# Works in both Python and Rust runtimes
from sha256:a8b5f554… import classify_content,
                               moderate,
                               route_message

Rust parser + Rust interpreter · --store flag · 2 conformance tests

Capability manifest `docs` field

The machine-readable capability manifest now links to human-readable documentation. An agent fetching the manifest gets a pointer to the quickref, cookbook, and getting-started guide — no separate discovery step.

python3 -m codifide capability --hash
# sha256:42d73647ba8de29a7d219bf2218bad0a42dc2a11d7878cac12ee931be2a1a185

curl https://www.codifide.com/capability.json | jq .docs

New manifest hash · publicsite updated · docs/CAPABILITY.md schema updated

Validated by four external agent sessions

v2.0 requirements were driven by real adoption evidence — not speculation. Four models (GPT-4o, Gemini 2.5 Pro, Claude, GPT-5.4) ran the pipeline task spec and documented every failure. The friction points they hit became the v2.0 requirements. The B-Team governance review (GPT-5.4, live interpreter) closed the release.

4 external models tested

5/5 programs completed by all models

12 cookbook failure modes documented

341 tests passing

Full changelog → Agent cookbook

AI Governance Thinking

Agentic AI removes the speed constraint on building. It does not remove the constraint on safety. The question isn't "can AI build it?" — it's "should this ship?"

Speed without governance is faster failure

AI can produce 50 files in an hour. The bottleneck is no longer building — it's deciding what to ship. Governance frameworks must evolve to match the pace of agentic development, not lag behind it.

Evidence, not confidence

"We think it's fine" is not a gate pass. Every gate requires artifacts — test coverage reports, security sign-offs, accessibility audits, integration tests against real backends. Not demos. Not decks.

The builder cannot review their own work

Teams immersed in development share the same blind spots. A separate adversarial reviewer — different model, different prompt, hostile persona — attacks every gate. A Zero-Context reviewer reads the work as a regulator would: knowing nothing, asking everything.

AI builds. Humans decide.

The gate decision — go, kill, hold — is never delegated to the machine. AI provides evidence. Humans decide what ships. That boundary is not a limitation of AI; it's the architecture of accountability.

Intent must survive compilation

When an agent transforms code, the original intent should be preserved — not discarded. Systems that lose intent create accountability gaps that compound at scale. The language is the governance.

Read the whitepaper → Follow on LinkedIn

"The danger isn't that AI builds bad software. It's that AI builds software so fast that governance can't keep up."

"Kill early, kill cheap. A failed gate at G1 costs hours. A failed gate at G5 costs months."

"Agent-authored code does not have the same failure modes as human-authored code. Our governance frameworks haven't caught up."

About Codifide

Codifide Inc. is a software company and research practice building tools for the agent era. The name means the same thing for both the company and the language it stewards: confidence in code.

The work spans language design, healthcare intelligence, consumer AI, and governance frameworks — connected by a single thesis: the properties that matter most in AI-assisted software are the ones that need to be enforced by the system, not trusted to the agent.

Founded and led by Douglas Jones, a software practitioner and thought leader on AI governance, based in the United States.

Veteran-owned small business

Connect

Get in touch

Interested in the work, a collaboration, or a conversation about AI governance?

Send a message

Confidence in code. Governance in practice.