Skip to main content
Rule ID: AE-CC-002 · Severity: High · Category: Agent Config · Auto-fixable: No

Why this rule

Without explicit edit boundaries, an agent has implicit full-repo write access — including CI workflows, migration files, environment config, and secret stores where an unreviewed change has operational or security impact. A missing boundary is not just a theoretical risk. An agent asked to “clean up the repo” or “fix the failing tests” has no constraint preventing it from modifying .github/workflows/, db/migrations/, or .env.production unless the context explicitly forbids it.
This rule is intentionally stricter than AE-CTX-001, which only requires a generic mention of edit scope. AE-CC-002 requires concrete path declarations — a vague “be careful with production files” does not satisfy it.

What triggers it

Charter reads all tracked agent context files — AGENTS.md, CLAUDE.md, .windsurfrules, .github/copilot-instructions.md, opencode.md, codex.md, DESIGN.md, SKILL.md, every file under .cursor/rules/, and PERMISSIONS.md when present — and checks whether any of them explicitly declare off-limits paths. The finding fires when none of those sources contains a concrete boundary listing sensitive directories. Charter looks for recognized sensitive-path tokens presented as restricted or off-limits:
  • .github/workflows/
  • terraform/ or infra/
  • db/migrations/
  • .env*
  • secrets/
  • credentials
A context file that references PERMISSIONS.md as the authoritative boundary document also satisfies the check.

Examples

An AGENTS.md that thoroughly documents the project architecture, commands, and stack — but contains no section declaring paths the agent must not edit:
AGENTS.md
# AGENTS.md

## Project Overview
Go CLI scoring repos for AI-agent readiness.

## Stack
Go 1.26.3, Moonrepo, mise, hk, GHA.

## Commands
- Setup: `mise install`
- Verify: `moon run :check`
No off-limits section → flagged High.

How to fix

1

Identify your high-risk paths

Think about which directories in your repo, if accidentally modified by an agent, would be hardest to detect or recover from. Common candidates: CI workflows, migration files, environment config, secret stores, and production infrastructure.
2

Add an explicit off-limits section

Add a dedicated section to your AGENTS.md (or CLAUDE.md, .windsurfrules, etc.) listing those paths explicitly. Or create a PERMISSIONS.md and reference it from your context file.
3

Commit the change

Commit the update so every agent session that loads the context file inherits the boundary.
You don’t need to list every file — focus on directories where accidental edits would be hard to detect or recover from. Three to five concrete paths are enough to satisfy the rule and meaningfully constrain agent scope.

Score impact

High (−10); no hard cap.

Edge cases

A single-purpose repo with no CI, no migrations, and no secrets may legitimately have broad edit scope. This is a documented false-positive risk — suppress with a reason if the repo genuinely has no sensitive paths.
When no agent context source exists at all, AE-CTX-001 already fires at Blocker severity. AE-CC-002 does not duplicate the absence finding — it only evaluates repos that have a context file but lack edit boundaries.
.cursor/rules/ content (all tracked files concatenated) is scanned alongside single-file context candidates. A boundary declared in any .cursor/rules/*.md file satisfies the check.

AE-CTX-001

Requires a base agent context file to exist.

AE-CC-001

Detects dangerous commands in hook configurations.

CLI

charter explain AE-CC-002