Charter — AI-Agent Readiness Scanner

Rule ID: AE-SEC-002 · Severity: Blocker · Category: Secrets · Auto-fixable: No

Charter never auto-fixes secret findings. Removing the literal value is not a complete fix — rotate the credential externally first. Assume it was exposed the moment it was committed.

Why this rule

MCP configurations are read by the agent runtime before tools execute. Unlike source code that may only be read occasionally, MCP configs are intentionally agent-visible by design — every tool invocation passes through them. A raw credential here is exposed to every model, every session, and every tool-call log that processes this context.

What triggers it

Charter scans tracked MCP configuration files for the same high-confidence credential patterns as AE-SEC-001:

Pattern	Example prefix	Min length
OpenAI API token	`sk-`	20 characters
GitHub personal access token	`ghp_`	30 characters
AWS access key ID	`AKIA`	16 characters
Slack bot token	`xoxb-`	20 characters
PEM private key	`-----BEGIN ... PRIVATE KEY-----`	—

Scanned files: .mcp.json, mcp.json, .cursor/mcp.json, .vscode/mcp.json, .claude/settings.json, claude_desktop_config.json, cline_mcp_settings.json, and any *.pkl file whose path contains mcp or config. Neutralized (never fire): Environment variable references (${VAR}, $VAR) and placeholder strings (your-api-key-here) are explicitly excluded. Only literal credential values trigger the finding. Detected values are redacted in Charter output (first 4 characters followed by …).

Examples

Failing
Passing

.mcp.json

{
  "mcpServers": {
    "my-server": {
      "type": "http",
      "url": "https://my-mcp-server.example.com",
      "headers": {
        "Authorization": "Bearer sk-proj-abc123T3BlbkFJXxyzABCDEF"
      }
    }
  }
}

# Charter detects: sk-p… (redacted) in .mcp.json — fires Blocker

.mcp.json

{
  "mcpServers": {
    "my-server": {
      "type": "http",
      "url": "https://my-mcp-server.example.com",
      "headers": {
        "Authorization": "Bearer ${MCP_API_KEY}"
      }
    }
  }
}

How to fix

Rotate the credential externally

Revoke and regenerate the secret in the provider’s dashboard before touching any files. The commit that introduced the literal value exposed it.

Remove the literal value from the MCP config

Delete the raw credential from the header value in the config file.

Replace with an environment variable reference

Use ${MCP_API_KEY} or $MCP_API_KEY in place of the literal value. Most MCP runtimes (npx, uvx) resolve environment variables at tool invocation time.

Commit the fix

Commit the updated config file. Charter re-scans on next run and clears the finding once no literal credential is detected.

If the secret is already in git history

The credential is compromised. Rotate first, then consider a history rewrite (git filter-repo) — coordinate with all collaborators before rewriting shared history.

Score impact

Secret findings apply a hard cap: the final Charter score is held at ≤ 49 while AE-SEC-001 or AE-SEC-002 is active. This overrides the base formula and all other scoring.

Use env var references in MCP auth headers. Most MCP runtimes resolve environment variables at tool invocation time — the credential never needs to live in the config file itself.

AE-SEC-001 — same patterns applied to agent context files
AE-MCP-001 — MCP servers must be pinned to exact versions
AE-MCP-003 — remote MCP servers must declare auth

CLI

charter explain AE-SEC-002

​Why this rule

​What triggers it

​Examples

​How to fix

​Score impact

​Related rules

​CLI

Why this rule

What triggers it

Examples

How to fix

Score impact

Related rules

CLI