My AI Governance System Passed Its Own Audit. Then I Wrote One Rule. Now It Fails. That's the Point.

#ai #python #architecture #devops

This morning CORE's audit looked like this:

Rules declared: 115    Rules executed: 99
Total findings: 349

Final Verdict: PASSED ✅

By afternoon:

Rules declared: 116    Rules executed: 100
Total findings: 380    Errors: 31

Final Verdict: FAILED ❌

I didn't break anything. I wrote two files. Here's what happened.

The Gap

CORE has a cognitive role system. Every AI call must go through a PromptModel artifact that declares which role handles the invocation. The rule is written in the constitution:

"Cognitive role must be read from model.manifest.role, never hardcoded."

The correct pattern:

pm = PromptModel.load("my_artifact")
client = await self.cognitive_service.aget_client_for_role(pm.manifest.role)

The wrong pattern:

client = await self.cognitive_service.aget_client_for_role("Coder")

The constitution said this was illegal. But there was no rule enforcing it. So the audit couldn't see it.

A quick grep confirmed what was hiding:

grep -rn 'aget_client_for_role("' src/ | grep -v 'manifest\.role'

32 violations. 28 files. Including the ViolationRemediator — the worker that fixes other violations.

Two Files

.intent/rules/ai/cognitive_role_governance.json — the rule:

{
    "id": "ai.cognitive_role.no_hardcoded_string",
    "statement": "All calls to aget_client_for_role() MUST pass the role from model.manifest.role. String literals are PROHIBITED.",
    "enforcement": "blocking",
    "rationale": "A hardcoded role string bypasses the PromptModel governance layer entirely. Ungoverned, untestable, invisible to audit."
}

.intent/enforcement/mappings/ai/cognitive_role_governance.yaml — the enforcement:

mappings:
  ai.cognitive_role.no_hardcoded_string:
    engine: regex_gate
    params:
      forbidden_patterns:
        - "aget_client_for_role\\(\"[A-Za-z]"
    scope:
      applies_to:
        - "src/**/*.py"
      excludes:
        - "src/will/orchestration/cognitive_service.py"  # IS the implementation

Ran the audit. 31 blocking errors.

Why FAILED Is the Right Answer

These violations didn't appear today. They were there for months — silent, invisible, passing every audit.

The audit was passing because the law hadn't been written yet.

A passing audit against an incomplete constitution isn't a clean bill of health. It's an unknown. Writing the rule didn't create the problem. It revealed it.

Before touching a single file, I committed:

git add -A && git commit -m "feat(governance): add ai.cognitive_role.no_hardcoded_string

31 blocking violations now visible. Previously silent.
Constitutional act: new law, enforcement active."