Why Constitutional AI Auditors Miss Dead Code: The Static Analysis vs. DI Gap
These articles are AI-generated summaries. Please check the original sources for full details.
My Constitutional Auditor Missed Dead Code. Here’s Why — and What I’m Doing About It.
Engineer Dariusz Newecki discovered that CORE’s constitutional auditor failed to detect a completely orphaned file named llm_api_client.py. While the purity.no_dead_code rule was active, the enforcement mechanism relied on Vulture, which only scans for unused symbols within files rather than traversing the full import graph.
Why This Matters
Constitutional governance in software is only as strong as its enforcement mechanisms; a gap between legal intent and technical implementation creates a false sense of security. In complex systems using Dependency Injection (DI) or dynamic discovery, standard static analysis tools frequently fail to map actual reachability, leading to either missed dead code or massive volumes of false positives that obscure real issues.
Key Insights
- Vulture static analysis tool (2026) scope is limited to internal symbols and cannot identify unreachable orphan files that have no imports.
- The Constitutional Gap occurs when policy declarations in .intent/rules/ exceed the technical capabilities of the enforcement mappings in .intent/enforcement/.
- Dependency Injection (DI) in CORE causes 164+ false positives because services are injected at runtime rather than imported via static statements.
- Dynamic discovery via pkgutil.iter_modules and importlib makes architectural components invisible to standard AST-based graph traversal.
- Governance tools reveal architecture: implementing an orphan check provided a complete map of CORE’s dynamic loading patterns and plugin conventions independent of its accuracy.
Working Examples
The purity.no_dead_code rule definition in CORE’s constitution.
{
"id": "purity.no_dead_code",
"statement": "Production code MUST NOT contain unreachable or dead symbols as identified by static analysis.",
"enforcement": "reporting"
}The initial enforcement mapping that resulted in the missed orphan file.
purity.no_dead_code:
engine: workflow_gate
params:
check_type: dead_code_check
tool: "vulture"
confidence: 80Practical Applications
- Use Case: Extending CORE’s knowledge_gate with an orphan_file_check using Python’s AST module to traverse the import graph from declared entry points.
- Pitfall: Relying solely on static analysis in DI-heavy architectures; this results in high false-positive rates (e.g., 231 files flagged) for active components like research agents.
- Use Case: Implementing Git activity heuristics to flag files with zero activity in 90+ days combined with zero imports to identify genuinely dead code in decoupled systems.
References:
Continue reading
Next article
NVIDIA Nemotron-Terminal: Scaling LLM Agents with Systematic Data Engineering
Related Content
Bridging the Gap Between AI-Assisted Speed and System Stability
AI tools boost code production speed, but exceeding a system's change absorption capacity leads to production failures and triple the rework time.
Architectural Shift: Replacing Singletons with Dependency Injection for Testable Code
Utkuhan Akar's team eliminated flaky test failures and hidden coupling by replacing the Singleton pattern with explicit Dependency Injection.
Understanding ESLint: Building a Custom Linter for JavaScript AST Analysis
ESLint parses JavaScript into ASTs to enforce code quality, using context.report() to flag violations like rogue console.log statements in production code.