CodeCome expects the target source code to be available under:
src/
The target can be:
- copied directly into
src/, - checked out as a git repository inside
src/, - added as a git submodule,
- extracted from an archive,
- generated by a setup script,
- or mounted into the workspace by another mechanism.
For a single target:
src/
└── target-source-here/
For a copied repository:
src/
├── README.md
├── package.json
├── src/
└── ...
For a benchmark corpus:
src/
└── benchmark-name/
Example:
git submodule add https://example.com/project.git src/project
Then initialize/update later with:
git submodule update --init --recursive
This keeps the audited target separate from the CodeCome workflow files.
Example:
mkdir -p src
unzip target.zip -d src/
or:
tar -xf target.tar.gz -C src/
The first planned PoC target is the NIST SARD Juliet C/C++ test suite.
Juliet should be treated as a benchmark target, not as a special CodeCome core requirement.
Suggested layout:
src/
└── Juliet_Test_Suite_v1.3_for_C_Cpp/
After placing Juliet under src/, run:
opencode run --agent recon "$(cat prompts/phase-1-recon.md)"
The recon phase should infer that the target is a C/C++ benchmark corpus and create notes under:
itemdb/notes/
For a generic target, the default config can remain:
project:
source_path: "./src"
profile: "auto"
For a known target, you may update:
project:
name: "target-name"
source_path: "./src/target-name"
profile: "auto"
languages:
- "auto"
Avoid making the core workflow target-specific.
Target-specific behavior should live in:
.opencode/skills/
itemdb/notes/
sandbox/scripts/
codecome.yml target overrides
The generic sandbox provides common tooling, especially for C/C++ targets.
Target-specific build and test logic can be added to:
sandbox/scripts/build.sh
sandbox/scripts/test.sh
For complex targets, add additional scripts under:
sandbox/scripts/
Examples:
sandbox/scripts/run.sh
sandbox/scripts/build-asan.sh
sandbox/scripts/fuzz.sh
sandbox/scripts/migrate.sh
Do not commit:
- production secrets,
- real credentials,
- private keys,
- sensitive customer data,
- huge generated artifacts,
- local build directories,
- local database dumps unless intentionally sanitized.
After placing a target under src/:
make check
make sandbox-check
opencode run --agent recon "$(cat prompts/phase-1-recon.md)"
Then review:
itemdb/notes/target-profile.md
itemdb/notes/attack-surface.md
itemdb/notes/validation-model.md
itemdb/notes/interesting-files.md
CodeCome is dual-licensed under your choice of:
- GNU General Public License version 3 or later (
GPL-3.0-or-later), or - GNU Affero General Public License version 3 or later (
AGPL-3.0-or-later).
SPDX expression: GPL-3.0-or-later OR AGPL-3.0-or-later.
The files under templates/sandboxes/ are an exception: they are
licensed under the MIT License so they can be copied into user
workspaces without imposing copyleft obligations on those user
projects.
See LICENSE, AGPL-LICENSE, templates/sandboxes/LICENSE, and
NOTICE. Contributions are accepted under the terms described in
CONTRIBUTING.md.
Copyright (C) 2025-2026 Pablo Ruiz García <pablo.ruiz@gmail.com>.