chore: remove dead code (#648)

[zmanian]

Summary

• Delete LlmEvaluator struct/impl (zero callers) and remove #[allow(dead_code)] from RuleBasedEvaluator methods
• Delete chunk_by_paragraphs() function and its 2 tests (zero production callers, only chunk_document() is used)
• Delete install_bundled_channel_from_artifacts() method (hot-activation flow never shipped)
• Remove unused safety: Arc<SafetyLayer> field from Reasoning struct; cascade removal through ContextCompactor, HeartbeatRunner, LlmSoftwareBuilder, spawn_heartbeat(), register_builder_tool(), and all callers (~18 files)

Net: -336 lines of dead code removed across 17 files.

Closes #648

Test plan

• cargo fmt -- --check passes
• cargo clippy --all --benches --tests --examples --all-features -- zero new warnings
• cargo test --lib -- 2542 tests pass (2 fewer: deleted chunk_by_paragraphs tests)
• No new #[allow(dead_code)] annotations added
• All #[allow(dead_code)] annotations from the 4 items removed

Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on a comprehensive cleanup of the codebase by identifying and removing several pieces of dead or unused code. The primary goal is to reduce complexity, improve maintainability, and eliminate unnecessary dependencies. This includes removing unused evaluation logic, an alternative chunking strategy, and an unreleased installation method, along with a significant refactoring to remove an unused SafetyLayer dependency from core components, resulting in a leaner and more efficient system.

Highlights

• Dead Code Removal: LlmEvaluator: The LlmEvaluator struct and its implementation have been entirely removed, as it had no active callers within the codebase. This also led to the removal of #[allow(dead_code)] attributes from RuleBasedEvaluator methods.
• Dead Code Removal: chunk_by_paragraphs: The chunk_by_paragraphs() function and its associated tests have been deleted. This function was not used in production, with chunk_document() being the sole active chunking mechanism.
• Dead Code Removal: install_bundled_channel_from_artifacts: The install_bundled_channel_from_artifacts() method has been removed, as the hot-activation flow it supported was never shipped.
• Removal of Unused SafetyLayer Field: The safety: Arc<SafetyLayer> field has been removed from the Reasoning struct. This change cascaded through approximately 18 files, including ContextCompactor, HeartbeatRunner, LlmSoftwareBuilder, spawn_heartbeat(), and register_builder_tool(), where the SafetyLayer parameter was no longer required in their constructors or function signatures.
• Overall Codebase Reduction: A total of 336 lines of dead code were removed across 17 files, significantly streamlining the codebase.

Changelog

• src/agent/agent_loop.rs
  • Removed the safety parameter from the HeartbeatRunner::new call.
• src/agent/commands.rs
  • Removed the safety parameter from HeartbeatRunner::new and Reasoning::new calls.
• src/agent/compaction.rs
  • Removed SafetyLayer import.
  • Removed the safety field from the ContextCompactor struct.
  • Removed the safety parameter from ContextCompactor::new and Reasoning::new calls.
  • Updated test helper make_compactor to no longer initialize or pass SafetyLayer.
• src/agent/dispatcher.rs
  • Removed the safety parameter from Reasoning::new calls.
  • Updated test cases to remove SafetyLayer initialization.
• src/agent/heartbeat.rs
  • Removed SafetyLayer import.
  • Removed the safety field from the HeartbeatRunner struct.
  • Removed the safety parameter from HeartbeatRunner::new and spawn_heartbeat functions.
  • Removed the safety parameter from the Reasoning::new call.
• src/agent/thread_ops.rs
  • Removed the safety parameter from ContextCompactor::new calls.
• src/agent/worker.rs
  • Removed the safety parameter from the Reasoning::new call.
• src/app.rs
  • Removed the safety parameter from the register_builder_tool call.
• src/evaluation/success.rs
  • Removed Arc and LlmProvider imports no longer needed.
  • Removed the LlmEvaluator struct and its impl block.
  • Removed #[allow(dead_code)] attributes from RuleBasedEvaluator methods.
• src/extensions/manager.rs
  • Removed the install_bundled_channel_from_artifacts method.
• src/llm/reasoning.rs
  • Removed SafetyLayer import.
  • Removed the safety field from the Reasoning struct.
  • Removed the safety parameter from Reasoning::new calls.
  • Updated test helper make_test_reasoning to no longer initialize or pass SafetyLayer.
• src/tools/builder/core.rs
  • Removed SafetyLayer import.
  • Removed the safety field from the LlmSoftwareBuilder struct.
  • Removed the safety parameter from LlmSoftwareBuilder::new and Reasoning::new calls.
• src/tools/registry.rs
  • Removed SafetyLayer import.
  • Removed the safety parameter from the register_builder_tool function.
• src/worker/runtime.rs
  • Removed the safety parameter from the Reasoning::new call.
• src/workspace/chunker.rs
  • Removed the chunk_by_paragraphs function.
  • Removed two associated test cases for test_paragraph_chunking and test_large_paragraph_handling.
• tests/e2e_routine_heartbeat.rs
  • Removed SafetyConfig and SafetyLayer imports.
  • Removed safety parameter from HeartbeatRunner::new calls.
  • Updated test setup to no longer initialize or pass SafetyLayer.
• tests/heartbeat_integration.rs
  • Removed SafetyLayer import.
  • Removed safety parameter from HeartbeatRunner::new call.

Activity

• The pull request author, zmanian, created this PR to remove dead code and unused dependencies.
• The PR description includes a detailed summary of changes and a test plan, indicating thorough self-review and testing by the author.
• No human comments or reviews have been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request aims to remove a significant amount of dead code, improving codebase maintainability by simplifying function signatures and struct definitions. While this includes the removal of the unused safety field from the Reasoning struct and other components like LlmEvaluator, the removal of the safety layer from LlmSoftwareBuilder is a critical security concern. LlmSoftwareBuilder runs an autonomous agent loop with access to powerful tools like shell but currently lacks tool output sanitization, making it vulnerable to indirect prompt injection and potential Remote Code Execution (RCE) on the host system. The safety field should be retained and utilized to sanitize tool outputs within the builder's execution loop, in accordance with the rule that sanitization must be applied to data paths sent to external services like LLMs.

[gemini-code-assist]

The LlmSoftwareBuilder implements an autonomous agent loop that executes tools (such as shell, read_file, and http) and incorporates their outputs directly into the reasoning context without sanitization (see lines 714-719 in the full file). This makes the builder agent vulnerable to Indirect Prompt Injection. An attacker could provide a requirement that causes the agent to fetch malicious content, which then subverts the agent's instructions to execute unauthorized commands on the host system via the shell tool.

Removing the safety field from the LlmSoftwareBuilder and the Reasoning engine instead of implementing the missing sanitization (e.g., using self.safety.sanitize_tool_output) cements this vulnerability. It is recommended to retain the safety layer and use it to sanitize all tool outputs before they are added to the conversation context.

References

1. Tool output previews sent to trusted local endpoints (e.g., TUI, web gateway) should not be sanitized. Sanitization should only be applied to data paths sent to external services, such as an LLM. The LLM's reasoning context is considered a data path interacting with an LLM, thus requiring sanitization of tool outputs.