Charter — AI-Agent Readiness Scanner

Rule ID: AE-SUPPRESS-001 · Severity: Medium · Category: Governance · Auto-fixable: No

Why this rule

A suppression without a reason is indistinguishable from accident. When a finding re-surfaces after a security review or team rotation, there is no record of why it was acceptable or who decided. Suppressions are a legitimate tool for managing accepted risk — but only when the decision is documented. A reason-less suppression creates a silent blind spot that grows harder to audit over time.

What triggers it

Charter audits every suppression that was applied during the current scan:

All entries in .charter-suppress.yml
Every inline # charter:ignore comment that matched a finding

For each applied suppression, Charter checks whether a reason field is present and non-empty. Both of these fire the finding:

A YAML entry with no reason: key
An inline directive with no reason="…" segment

The suppression itself still takes effect — Charter continues to suppress the underlying finding. A missing reason is a governance hygiene problem, not grounds to un-suppress. The deduction is applied to the score, not the original finding.

Examples

Failing
Passing

A .charter-suppress.yml entry with no reason field:

.charter-suppress.yml

suppressions:
  - rule: AE-CC-001
    expires: "2026-09-07"
    # no reason field → flagged Medium

An inline directive with no reason:

internal/scanner.go

// charter:ignore AE-MCP-001
func scanMCP() { ... }

A YAML entry with a meaningful reason:

.charter-suppress.yml

suppressions:
  - rule: AE-CC-001
    reason: "Claude config lives in the infra repo — hook scanning not applicable here"
    expires: "2026-09-07"
    approver: alice

An inline directive with a reason segment:

internal/scanner.go

// charter:ignore AE-MCP-001 reason="vendored test fixture, not a real MCP server"
func scanMCP() { ... }

How to fix

Find reason-less suppressions

Run charter explain AE-SUPPRESS-001 — Charter names the suppressed rule and its source file (YAML entry or inline comment location) in the finding evidence.

Add a meaningful reason

For YAML entries, add a reason: field. For inline comments, add reason="…" after the rule ID. Use plain language — a sentence is enough.

Use charter suppress for new entries

The charter suppress command always writes the reason for you when you provide --reason:

charter suppress AE-MCP-001 \
  --reason "vendored test fixture, not a real MCP server" \
  --expires 90d

A good reason answers: “Why is this finding acceptable in this repo, specifically?” Generic reasons like “not applicable” or “known issue” are technically valid but provide no value to future reviewers.

Score impact

Medium (−4); no hard cap. One finding per reason-less suppression entry.

Edge cases

Non-matched YAML entries are still audited

A suppression entry whose rule never matched any finding this scan — but which is still non-expired — is still audited for a reason field. Expired entries are inert and not evaluated.

Dangling inline directives are not audited

An inline # charter:ignore comment that matched no finding is not audited. Inline directives are discovered only at finding locations.

Whitespace-only reason counts as missing

A reason: field containing only spaces or tabs counts as missing and fires the finding.

Secret rule suppressions

Secrets are suppressible like any rule. A reason-less AE-SEC-001 or AE-SEC-002 suppression is audited exactly the same way as any other rule.

AE-SUPPRESS-002

Requires an approver on permanent suppressions — the accountability companion to this rule.

AE-SUPPRESS-003

Informational — surfaces when the overall suppression rate is high.

CLI

charter explain AE-SUPPRESS-001
charter suppress <RULE> --reason "..." --expires 90d

​Why this rule

​What triggers it

​Examples

​How to fix

​Score impact

​Edge cases

​Related rules

AE-SUPPRESS-002

AE-SUPPRESS-003

​CLI

Why this rule

What triggers it

Examples

How to fix

Score impact

Edge cases

Related rules

CLI