Charter — AI-Agent Readiness Scanner

Rule ID: AE-SUPPRESS-002 · Severity: High · Category: Governance · Auto-fixable: No

Why this rule

A permanent suppression with no expiry and no approver is an unbounded waiver. It silently removes a finding from the score indefinitely with no human accountability attached. Unlike a time-bounded suppression — which expires and forces a re-evaluation — a permanent waiver with no approver can survive security reviews, team rotations, and architectural changes without ever being questioned. Charter refuses to honor it until a named approver accepts the risk.

What triggers it

Charter audits every active suppression — non-expired entries in .charter-suppress.yml and inline # charter:ignore directives matched to a finding — and flags any entry that is an explicit permanent waiver without a named approver. A suppression is a permanent waiver when its expires field is set to the literal value permanent. If that entry has no approver: field (or the approver is blank), Charter:

Flags the entry at High severity
Does not honor the suppression — the underlying finding remains active and is included in scoring

An unapproved permanent waiver is not honored. The original finding continues to affect the score until either an approver: is added or the suppression is converted to a time-bounded entry.

Suppressions with a future expires date, or with no expires at all (which applies a default TTL), are not permanent waivers and do not require an approver.

Examples

Failing
Passing

Permanent waiver with no approver — flagged High, suppression not honored:

.charter-suppress.yml

suppressions:
  - rule: AE-TEST-001
    reason: "Backend-only repo"
    expires: permanent
    # no approver field → flagged High, finding stays active

An entry that fires both AE-SUPPRESS-001 and AE-SUPPRESS-002:

.charter-suppress.yml

suppressions:
  - rule: AE-CC-002
    expires: permanent
    # no reason AND no approver → both rules fire

Permanent waiver with a named approver:

.charter-suppress.yml

suppressions:
  - rule: AE-TEST-001
    reason: "Backend-only repo — no application code, only data pipeline scripts"
    expires: permanent
    approver: "@tashfiqul"

A time-bounded suppression — no approver required:

.charter-suppress.yml

suppressions:
  - rule: AE-MCP-001
    reason: "Temporary during migration to new MCP server config"
    expires: "2026-09-01"

An entry with no expires field — default TTL applies, not a permanent waiver:

.charter-suppress.yml

suppressions:
  - rule: AE-CI-002
    reason: "CI bootstrap in progress"

How to fix

Identify unapproved permanent waivers

Run charter explain AE-SUPPRESS-002 — Charter lists every permanent waiver missing an approver, including the file location and the rule being suppressed.

Add an approver or convert to time-bounded

Choose one of two paths:Option A — Add an approver (keep the permanent waiver, add accountability):

- rule: AE-TEST-001
  reason: "Backend-only repo"
  expires: permanent
  approver: "@tashfiqul"   # ← add this

Option B — Convert to time-bounded (eliminate the permanent waiver):

charter suppress AE-TEST-001 \
  --reason "Backend-only repo" \
  --expires 90d

Confirm the finding clears

Run charter doctor to verify the finding no longer appears and the suppression is now honored.

AE-SUPPRESS-003 (Informational) surfaces when the overall suppression rate is high across the repo. AE-SUPPRESS-002 (High) is about accountability on permanent waivers specifically — the two rules are complementary, not redundant.

Score impact

High (−10); no hard cap. The underlying finding also remains active and contributes its own deduction, since the unapproved permanent waiver is not honored.

Edge cases

Malformed expires field

An expires value that is not YYYY-MM-DD or permanent fails closed — the engine treats the entry as inert, suppresses nothing, and the finding stays active. The malformed entry is not audited by AE-SUPPRESS-002 (only non-expired file entries and matched inline directives are audited).

Blank approver counts as missing

A approver: field containing only whitespace counts as missing and fires the finding.

Secret rule suppressions

Secrets are suppressible like any rule. An unapproved permanent AE-SEC-001 or AE-SEC-002 suppression fires this rule and is not honored — the ≤ 49 score cap for secrets remains in effect. An approved permanent secret suppression lifts the cap.

Both AE-SUPPRESS-001 and AE-SUPPRESS-002 can fire together

An entry that is both reason-less and a permanent waiver without an approver fires both AE-SUPPRESS-001 (Medium, −4) and AE-SUPPRESS-002 (High, −10) independently.

AE-SUPPRESS-001

Requires a reason on every suppression — the documentation companion to this rule.

AE-SUPPRESS-003

Informational — surfaces when the overall suppression rate across the repo is high.

CLI

charter explain AE-SUPPRESS-002
charter suppress <RULE> --reason "..." --approver "<name>"
charter suppress <RULE> --reason "..." --expires 90d

​Why this rule

​What triggers it

​Examples

​How to fix

​Score impact

​Edge cases

​Related rules

AE-SUPPRESS-001

AE-SUPPRESS-003

​CLI

Why this rule

What triggers it

Examples

How to fix

Score impact

Edge cases

Related rules

CLI