CODE TO CAPITAL Research Lab · W2
Workstream W2 · CTC Research Lab

Contamination-Resistant Code Evaluation

Static coding benchmarks degrade as their tasks leak into training corpora — scores partly reflect training-set memory, not capability. W2 sidesteps that failure mode by synthesising evaluation tasks directly from real, versioned repositories via AST analysis: tasks become a pure function of (commit, extraction rules), so contamination turns into a property that can be reasoned about and refreshed, rather than an invisible confound.

Working paperpilot measured — operational results only · resistance study next

Pilot run
60/60 tasks · 4 min 57 s
End-to-end on the Cerberus validation framework — single stream, temperature 0, no OOM.
Measured
Throughput
~200 tok/s
A ~3B-active sparse-MoE decode path on one RTX 5090 — bandwidth-bound, correctly attributed.
Measured
Headline metric
score(stale) − score(fresh)
The contamination gap (C1): small on regenerated tasks where a static benchmark shows a large one.
Target · predicted
§01

The problem

Benchmark validity is tied to how far the test data has escaped the training set — and for public coding suites, the honest answer is: not far.

Early execution-based suites established functional-correctness testing but are single-file, synthetic, and now heavily leaked into training corpora; hardened variants added mutation-generated tests without solving contamination. The field’s response has taken three forms: temporal harvesting (collecting problems published after a model’s cutoff), private held-out repositories, and automated generation from real repositories. W2 belongs to the third family — distinguished by two deliberate constraints: it runs end-to-end on a single 32 GB GPU, air-gapped, and it targets a security-relevant validation library, where a hallucinated “fix” is maximally costly.

Two lessons from that literature shape everything below. First, contamination resistance is only established by a fresh-versus-stale comparison — not by the mere act of generating from a repository. Second, the field’s standard for a code “pass” is execution-grounded: success means tests pass after the model’s change, not that the output reads as plausible.

§02

Method — tasks from a pinned commit

A structural extraction engine reads a target repository and manufactures fresh tasks bound to that code’s actual signatures, imports, and edge cases — up to one task per category per file.

Pinned commit repo state, versioned Scan glob + filter AST parse per source file Metadata signatures · imports Task synthesis ≤ 1 task / category / file code_generation function from requirement + import context code_understanding locate a deliberately injected bug security_audit injection vectors · unfiltered eval/exec deterministic eval engine · temperature 0 · single stream · SQLite → JSON → dashboard
Task synthesis — from a pinned commit to a scored run. No hand-authored task list, no public suite.
The reproducibility property

Tasks are a pure function of (repo state, extraction rules) — re-derivable from the exact commit months later, by an independent party. That is the substrate contamination control is built on.

Why a 35B model fits 32 GB — sparse experts + hybrid attention (pilot model: Qwen3.6-35B-A3B · Q4_K_M) weights ~24 GB · all 256 experts resident (~3B active per token) KV ~5 GB OS MoE buys compute and bandwidth, not memory — decode tracks the ~3B active path (hence ~200 tok/s), VRAM tracks the full 35B. Hybrid attention buys the cache headroom: only 10 of 40 layers grow a KV cache; the other 30 carry a fixed-size recurrent state.
The enabling arithmetic, measured on the pilot hardware. The known caveat: low-bit quantisation preserves surface validity more reliably than deep reasoning — exactly what execution grounding (C2) must confirm rather than assume.
§03

The pilot, read honestly

Sixty tasks — twenty per category — ran end-to-end against Cerberus, a security-relevant input-validation library. Every task completed. And that is precisely why the result is not a capability score.

Measured — single stream · temperature 0 · no OOM 60 / 60 completed · no OOM 4 min 57 s ~5.0 s per task ~200 tok/s ~3B active · bandwidth-bound 74,342 tokens 12.7k prompt / 59.4k completion the 100% converts directly into the agenda ↓ Stratify difficulty beginner → adversarial (C3) Execution-ground it verified ≠ completed (C2) Show the gap fresh − stale (C1) Frontier anchor cross-model, cross-repo (C4/C5)
Pilot result — operational signal, not a capability score. The 100% pass rate is read as a non-discriminative task set.

By the discrimination rule this lab applies to every rubric — a task set on which every sample passes measures nothing — a 60/60 result is not a capability claim. It says the generated tasks sat below the model’s ceiling. That is the pilot’s central finding: the extraction pipeline runs end-to-end, deterministically, within the VRAM budget — and the difficulty distribution must be raised before any number carries signal. What is trustworthy here is the operational measurement: throughput, stability, token accounting under a pinned single stream.

§04

What the pilot does not show

Two properties the run does not establish — named precisely, because each becomes a measurable criterion in §05.

B-1 Contamination resistance is a property of the method, not yet a demonstrated result Cerberus is mature, widely used, and almost certainly inside the model’s training corpus. Synthesising from its structure yields fresh task phrasings — but the underlying code and idioms are plausibly memorised, so this run cannot separate capability from recall. What it does establish is the substrate for control: tasks pinned to a commit, re-derivable deterministically. Resistance itself requires the fresh-versus-stale comparison (C1) against post-cutoff code. → C1
B-2 “Completed” is not “correct” The pilot’s pass criterion is a syntactically valid, on-task response; it does not execute the generated code against tests. The field’s standard is execution-grounded — and by that standard the pilot reports completion, not verified correctness. The fix routes outputs through the W1 execution harness: compile, generated and property tests, linter and type-checker. It matters most in security_audit, where a claimed vulnerability should be confirmed by an actual reproduction, not accepted as text. → C2
Static public benchmark stale fresh large gap = contamination score partly reflects training-set memory Regenerated from a live repository stale fresh small gap = resistant same pipeline, post-cutoff targets What resistance has to mean contamination gap = score(stale) − score(fresh) fresh = repositories / commits after the cutoff
§05

Five falsifiable criteria

The workstream hypothesis: tasks regenerated from live repositories resist memorisation — a model’s advantage on seen code does not transfer to structurally-matched unseen code drawn by the same pipeline. Every claim carries an instrument and a threshold, marked predicted until measured.

C1 Contamination gap score(stale) − score(fresh), where fresh = tasks synthesised from repositories or commits after the model’s knowledge cutoff and stale = pre-cutoff, well-known code. Pass: the pipeline exhibits a small gap where a static public benchmark exhibits a large one, on the same model. Falsified if: the gap on the regenerated set is as large as on the static set — the method adds no resistance. Predicted
C2 Execution-grounded correctness A “pass” should be verified, not asserted. Instrument: the W1 execution harness and frozen-rubric judge — generated code must compile and pass generated/property tests; a located bug must be confirmed by a failing→passing test; an audit finding must be reproduced. Falsified if: execution verification overturns a material fraction of “completed” passes. Predicted
C3 Discrimination The task set must separate strong from weak output. Instrument: stratify difficulty (beginner → adversarial) until the pass rate desaturates; report the difficulty distribution and an item-level discrimination index, not a single pass rate. Falsified if: no difficulty band exists where the pass rate is informative — neither 0 nor 100%. Predicted
C4 Cross-model, cross-repo external validity Identical measured conditions across models and repositories (async routing, validation metaclasses, REST frameworks) via the live GitHub API — no simulated rows. Falsified if: rankings and gaps are unstable or repo-inappropriate across the grid. Predicted
C5 Frontier anchor & hallucination check Anchor local scores against a frontier model via a batch API, and cross-reference generated imports and API calls against real package documentation — fabricated dependencies must be caught before they read as valid code. Falsified if: no quantified local-versus-frontier gap, or the fabricated-dependency rate goes unreported. Predicted

C1 and C2 convert the pilot’s honest boundaries into measured results; C3–C5 formalise the next-steps list. All five run on the same single-GPU, air-gapped setup plus the W1 pipeline already in the program — which is the point: the whole plan is verifiable under the sovereignty constraint the pilot was built to honour.

§06

Applied scenario

Vetting an open-weight model for an air-gapped, security-critical codebase — the use case the method exists for.

Sovereign model vetting, end to end
  • Situation. A team maintains a proprietary input-validation library under a data-sovereignty constraint — nothing may leave the network. Public coding benchmarks are contaminated, so a leaderboard rank is no evidence for this codebase.
  • Task. A defensible, on-premises measurement of whether a candidate model handles this repository’s edge cases and injection-vector reasoning — reproducible from the exact commit, inside one 32 GB GPU, with no cloud dependency in the evaluation path.
  • Action. Point the AST extractor at the pinned commit; synthesise tasks bound to the repo’s real signatures and imports; run deterministically at temperature 0 under a pinned single stream; log latency, tokens, and finish reasons per task.
  • Result. A complete evaluation in under five minutes, entirely on-premises and re-derivable from (commit, extraction rules) — defensible in an audit months later. The deliverable is a trustworthy, sovereign measurement and a precise instruction for the next iteration — not a number taken on faith.
§07

Limitations, stated up front

Beyond the two boundaries of §04
  • A different task family. AST-synthesised tasks are structurally cleaner than issue-resolution tasks (“resolve this GitHub issue so its hidden tests pass”) — the pipeline complements rather than replaces issue-based evaluation, and its difficulty ceiling is one reason the pilot saturated.
  • Single operator, single hardware. The operational numbers (throughput, latency) carry that external-validity bound independent of the capability question — a C4 concern by design.
  • Identification is not exploitation. The security_audit category currently scores identification; a finding that reads as correct may not be — which is precisely why C2’s reproduction requirement is load-bearing for that category.
  • Quantisation is the open caveat. Q4_K_M preserves surface validity more reliably than deep multi-step reasoning — correctness under low-bit weights is what execution grounding must confirm, not assume.