Applied AI · Code Provenance
Working instrument
CodeRadar
The beam does not tidy the code — it reveals what is counterfeit
What this is
Counterfeit code does not look wrong — that is the entire reason it survives review. CodeRadar is a live auditing instrument that reads a codebase the way an examiner reads a document: a validator trained on the failure patterns of machine-generated code flags each infraction with a rule code and severity, proposes the repair, and writes every verdict to a state mirror so the audit trail outlives the fix.
The technical shape
- Detector
- noai validator — NAI rule set for machine-generated code patterns
- Catches
- hallucinated imports · mismatched fallbacks · bare excepts · unguarded parses · dead computation
- Also watches
- path hacks · type integrity · sync I/O · frozen-function drift
- Audit trail
- state mirrors (.noai_state.json) with before/after for every repair
- Surface
- live dashboard — circuit graph, findings ledger, per-file drill-down
The deep end · full technical outline
Outline v2 · expanding
What counterfeit code is
Code that parses, passes linting and type checking, and reads as logically sound to a reviewer — while violating mathematical invariants every real implementation must satisfy. Not broken code: broken code throws. Counterfeit code runs; it just does not do what it claims. Its shapes are recognizable: identity functions that compute a result and return the input; mutation theater that builds a cleaned list and returns the original; pass-only stubs behind confident docstrings; dead computation written to look busy. Every one of them passes ast.parse, mypy, and ruff.
Why it accumulates
Agent reliability degrades along two axes at once — task difficulty and codebase size — and the failure concentrates where both dials are turned up, which is exactly where developers reach for AI help. Compounding it: no human reads at agent speed. An agent produces hundreds of lines across dozens of files in minutes; reviewing every line negates the speed advantage, skipping review means trusting output at its least trustworthy. The only resolution is validation that runs at agent speed — deterministic, local, real-time.
The four invariants
Every legitimate implementation must satisfy four conditions: inputs influence outputs (every parameter reaches a return value through the data-flow graph); computation is captured (assigned variables are read, calculated values used); iteration accumulates (loops build state, not overwrite it); functions produce (a return value or a side effect). Violating any one is sufficient proof of counterfeit. Verdicts are binary — no scores, no thresholds, no confidence percentages to adjudicate.
The mathematics
Data-flow reachability: build the directed graph of variable flow, run backward DFS from all return values — any declared parameter outside the reachable set is accepted but never influences output. Dead stores by set difference: written − read. AST structural hashing proves an if and its else are the same branch (hash equality on the dumped subtrees, line numbers ignored). Algebraic-identity and tautology checks catch padding (x + 0, x · 1) and decisions that are not decisions (x == x). A cyclomatic floor flags validators with no branches; statistical bounds (μ ± 2σ against known-good code, 2× excessive / 0.5× underuse per metric) flag functions that are mathematically unlike real implementations.
Three daemons
A watchdog circuit daemon (AST scan, mypy, CRC fingerprints of frozen functions) feeds a validator daemon running a five-stage pipeline over 97+ discrete rules in ten categories — every check a pure predicate on the AST, true or false — which feeds a live proof dashboard. Startup is completion-gated; after the baseline, validation is incremental. File save to dashboard verdict in under five seconds, sub-second for a single edit, fully offline, no API, no tokens, no model-version drift.
One fix, not a menu
For each infraction the cheatsheet builder generates candidate repairs, ranks them against a profile learned from the repo itself (framework, naming, defensive-guard conventions), and gates them: must parse, must differ from the original, must introduce no dangerous patterns. One vetted before/after pair ships per finding. The asymmetry is by design — detection needs graph theory; the repair is almost always simple, because counterfeit code fails by omitting something straightforward. Cross-file forensics trace blame through the import graph to a natural wall — logical, permission, or cyclic — and a layered-error peeler chains compatible fixes when one repair uncovers the next.
Zeroed mirrors, live supervision
Every validation cycle writes .noai_state.json mirrors to every directory: findings, recommended order, and the before/after for each repair. In the full configuration four coordinated agents watch the mirrors, apply the fixes, run the tests, and resume building only when the mirrors read zero — provable clean state, not a feeling. Above it all, the live circuit graph makes agent damage visible in seconds: the documented save was an agent severing every import from an __init__ mid-“fix” — nodes went red, the developer interrupted at that exact moment, and days of building on a broken foundation never happened.