Skip to content
Specification › Rule catalog

The rule catalog.

Browse

Every rule, filterable.

All 240 rules across 29 clauses and 7 pillars. Type to filter on rule id, text, clause title, pillar, level, or weight. Press / to focus the filter,Esc to clear.

240 rules
Rule IDWeightLevelClausePillarText
AIC-clean-clone-bootstrapMUSTL0§1 Reproducible environment Engineering FoundationA clean clone `MUST` reach a working development state using documented steps.
AIC-lockfile-committedMUSTL0§1 Reproducible environment Engineering FoundationThe dependency lockfile `MUST` be committed to version control.
AIC-package-manager-pinnedMUSTL0§1 Reproducible environment Engineering FoundationThe package manager version `MUST` be pinned when the ecosystem allows it.
AIC-runtime-version-pinnedMUSTL0§1 Reproducible environment Engineering FoundationThe runtime version `MUST` be pinned.
AIC-deterministic-build-orderMUSTL0§1 Reproducible environment Engineering FoundationMulti-package repositories `MUST` have a deterministic build order.
AIC-lockfile-enforced-in-ciMUSTL0§1 Reproducible environment Engineering FoundationCI `MUST` reject changes that would invalidate the committed lockfile (for example via `--frozen-lockfile`, `npm ci`, `pip --require-hashes`, or equivalent).
AIC-lockfile-integrity-hashesMUSTL0§1 Reproducible environment Engineering FoundationDependency lockfiles `MUST` include integrity hashes where the ecosystem supports them, and CI `MUST` fail when integrity verification fails.
AIC-heavy-build-prerequisitesSHOULDL0§1 Reproducible environment Engineering FoundationHeavy builds `SHOULD` document memory, CPU, or platform prerequisites.
AIC-platform-targets-explicitSHOULDL0§1 Reproducible environment Engineering FoundationBrowser, runtime, and platform targets `SHOULD` be explicit.
AIC-containerized-dev-envMAYL0§1 Reproducible environment Engineering FoundationThe repository `MAY` provide containerized or sandboxed development environments for stronger consistency.
AIC-formatting-automatedMUSTL0§2 Static correctness Engineering FoundationFormatting `MUST` be automated and enforced.
AIC-dead-code-and-cycles-surfacedMUSTL0§2 Static correctness Engineering FoundationUnused variables, dead code, import cycles, and unsafe dependency patterns `MUST` be surfaced automatically.
AIC-lint-correctness-rulesMUSTL0§2 Static correctness Engineering FoundationLinting `MUST` include correctness rules, not only style rules.
AIC-strict-typing-enabledMUSTL0§2 Static correctness Engineering FoundationStrict typing or equivalent compile-time checks `MUST` be enabled.
AIC-ban-unsafe-escape-hatchesSHOULDL0§2 Static correctness Engineering FoundationThe repository `SHOULD` ban unsafe escape hatches such as untyped `any` unless explicitly justified.
AIC-debug-statement-lintSHOULDL0§2 Static correctness Engineering FoundationAd-hoc debug statements (for example `console.log`, `print`, `dump`, language-equivalent debug emitters) `SHOULD` be flagged or blocked by lint, leaving structured logging from §13 as the only sanctioned output path. Agents and humans alike scatter debug emitters during exploration and forget to remove them; without a lint-time backstop, the residue ships.
AIC-naming-export-conventionsSHOULDL0§2 Static correctness Engineering FoundationIt `SHOULD` enforce naming and export conventions where consistency materially improves maintenance.
AIC-domain-lint-rulesMAYL0§2 Static correctness Engineering FoundationThe repository `MAY` add repository-specific lint rules for domain conventions.
AIC-architecture-rules-automatedMUSTL1§3 Architecture boundaries Engineering FoundationArchitectural rules that can be machine-enforced `MUST` be automated.
AIC-dependency-directions-explicitMUSTL1§3 Architecture boundaries Engineering FoundationAllowed dependency directions `MUST` be explicit.
AIC-layer-responsibilities-definedMUSTL1§3 Architecture boundaries Engineering FoundationThe repository `MUST` define module, package, or layer responsibilities.
AIC-shared-layer-import-protectionMUSTL1§3 Architecture boundaries Engineering FoundationSensitive or shared layers `MUST` be protected from importing implementation-specific or infrastructure-specific code when architectural separation depends on that boundary.
AIC-boundary-testsSHOULDL1§3 Architecture boundaries Engineering FoundationThe repository `SHOULD` use boundary tests or scans in addition to linter rules.
AIC-coupling-review-checklistSHOULDL1§3 Architecture boundaries Engineering FoundationIt `SHOULD` include a review checklist for coupling risks that tooling cannot catch.
AIC-architecture-analysis-toolsMAYL1§3 Architecture boundaries Engineering FoundationThe repository `MAY` model architecture constraints in dedicated analysis tools if the codebase is large enough to justify it.
AIC-ci-guardrail-suiteMUSTL1§4 Pre-commit and CI gates Engineering FoundationCI `MUST` run the authoritative guardrail suite for protected branches.
AIC-ci-pinned-toolchainMUSTL1§4 Pre-commit and CI gates Engineering FoundationCI `MUST` use the pinned toolchain and locked dependency state.
AIC-protected-branch-status-checksMUSTL1§4 Pre-commit and CI gates Engineering FoundationProtected branches `MUST` require passing status checks before merge.
AIC-precommit-meaningful-checksMUSTL1§4 Pre-commit and CI gates Engineering FoundationPre-commit hooks `MUST` run meaningful local checks.
AIC-expensive-jobs-explicitSHOULDL1§4 Pre-commit and CI gates Engineering FoundationExpensive jobs `SHOULD` be separated intentionally rather than omitted silently.
AIC-fast-iteration-pathSHOULDL1§4 Pre-commit and CI gates Engineering FoundationThe repository `SHOULD` expose a fast-iteration command path — for example scoped tests, changed-file lint, or per-package verify scripts — so intermediate work can be validated cheaply without running the full guardrail suite on every iteration. The full suite remains the authoritative gate; the fast path is for the iteration loop.
AIC-local-ci-alignedSHOULDL1§4 Pre-commit and CI gates Engineering FoundationThe local and CI quality bars `SHOULD` stay closely aligned.
AIC-adaptive-staged-ciMAYL1§4 Pre-commit and CI gates Engineering FoundationThe repository `MAY` use adaptive or staged CI when the distinction between fast and slow checks is explicit and documented.
AIC-credential-handling-documentedMUSTL0§5 Secrets and credentials SecurityCredential handling `MUST` be documented for contributors and automation.
AIC-env-example-placeholdersMUST·whenL0§5 Secrets and credentials SecurityWhen the repository requires contributor-supplied or runtime environment variables, example environment files `MUST` contain placeholders only.
AIC-secret-vcs-excludeMUSTL0§5 Secrets and credentials SecuritySecret-bearing files `MUST` be excluded from version control.
AIC-push-protection-enabledMUST·whenL0§5 Secrets and credentials SecurityPush protection `MUST` be enabled when supported and feasible for the repository's hosting platform.
AIC-secret-scanning-enabledMUSTL0§5 Secrets and credentials SecurityAutomated secret scanning `MUST` be enabled.
AIC-credential-rotation-documentedSHOULDL0§5 Secrets and credentials SecurityThe repository `SHOULD` document how contributors and automation obtain development credentials, how those credentials are rotated, and what triggers a rotation (suspected leak, contributor offboarding, scheduled cadence). This is particularly important for AI agents, which cannot complete interactive credential-issuance flows and otherwise accumulate static, long-lived tokens.
AIC-custom-secret-patternsSHOULDL0§5 Secrets and credentials SecurityThe repository `SHOULD` define custom detection patterns for organization-specific secret formats.
AIC-mock-mode-fallbackSHOULDL0§5 Secrets and credentials SecurityIt `SHOULD` provide a safe mock mode or local fallback path that avoids requiring live secrets for common development flows.
AIC-secret-rotation-automationMAYL0§5 Secrets and credentials SecurityThe repository `MAY` integrate secret rotation or secret lease validation into operational workflows.
AIC-dependency-review-visibilityMUST·whenL1§6 Security scanning and dependency security SecurityDependency changes in pull requests `MUST` be visible to reviewers through automation or policy.
AIC-dependency-vuln-detectionMUST·whenL1§6 Security scanning and dependency security SecurityDependency vulnerability detection `MUST` be enabled.
AIC-sast-in-ciMUST·whenL1§6 Security scanning and dependency security SecuritySecurity-focused static analysis `MUST` run in CI for supported languages and platforms.
AIC-automated-dep-updatesSHOULDL1§6 Security scanning and dependency security SecurityThe repository `SHOULD` automate safe dependency update PRs.
AIC-license-review-automationSHOULDL1§6 Security scanning and dependency security SecurityIt `SHOULD` automate license review if distribution or compliance requirements apply.
AIC-vuln-alert-ownershipSHOULDL1§6 Security scanning and dependency security SecurityIt `SHOULD` track and assign ownership for unresolved vulnerability alerts.
AIC-dast-internet-facingMAYL1§6 Security scanning and dependency security SecurityInternet-facing applications `MAY` run dynamic application security testing (DAST) against a deployed environment to surface vulnerabilities that static analysis misses.
AIC-penetration-testing-periodicMAYL1§6 Security scanning and dependency security SecurityHigh-risk systems `MAY` undergo periodic penetration testing by an independent reviewer.
AIC-strict-new-dep-policyMAYL1§6 Security scanning and dependency security SecurityThe repository `MAY` apply stricter policies to new dependencies than to existing ones.
AIC-credential-leakage-checksMUSTL1§7 Authorization and trusted boundaries SecurityRepositories `MUST` have checks or tests that detect dangerous credential or role leakage into the wrong layers.
AIC-data-integrity-constraintsMUSTL1§7 Authorization and trusted boundaries SecurityData integrity constraints `MUST` exist where the persistence layer supports them.
AIC-authz-trusted-layerMUSTL1§7 Authorization and trusted boundaries SecurityAuthorization `MUST` be enforced in a trusted layer such as the backend, API, or data layer.
AIC-no-privileged-creds-in-clientMUSTL1§7 Authorization and trusted boundaries SecurityPrivileged credentials `MUST NOT` be present in untrusted client code.
AIC-sensitive-write-paths-ownedSHOULDL1§7 Authorization and trusted boundaries SecuritySecurity-sensitive write paths `SHOULD` have explicit ownership, auditability, and narrow interfaces.
AIC-defense-in-depth-clientMAYL1§7 Authorization and trusted boundaries SecurityThe repository `MAY` add defense-in-depth client-side controls for UX, as long as they are not misrepresented as authoritative controls.
AIC-prod-deploy-protectedMUST·whenL1§8 CI/CD workflow hardening SecurityProduction deployment paths `MUST` be protected from arbitrary execution and unauthorized triggering.
AIC-short-lived-deploy-credsMUST·whenL1§8 CI/CD workflow hardening SecurityDeployment credentials `MUST` be short-lived where the platform supports it.
AIC-workflow-token-least-privilegeMUST·whenL1§8 CI/CD workflow hardening SecurityWorkflow tokens `MUST` use least privilege.
AIC-action-version-pinnedSHOULDL1§8 CI/CD workflow hardening SecurityThird-party GitHub Actions `SHOULD` be referenced by a tagged version or release ref (for example `pnpm/action-setup@v6`) rather than a floating branch ref like `@main` or `@master`. A floating ref ships whatever is on that branch into CI on the next run; pinning to a release tag bounds what can change between deliberate bumps. Stronger SHA pinning is the `MAY` below, justified by threat model.
AIC-deploy-env-approvalsSHOULDL1§8 CI/CD workflow hardening SecurityIt `SHOULD` protect deployment environments with approval rules or environment policies.
AIC-oidc-federationSHOULDL1§8 CI/CD workflow hardening SecurityThe repository `SHOULD` use OIDC or equivalent identity federation instead of long-lived cloud secrets.
AIC-workflow-change-reviewSHOULDL1§8 CI/CD workflow hardening SecurityIt `SHOULD` review workflow file changes with extra scrutiny.
AIC-reusable-workflowsMAYL1§8 CI/CD workflow hardening SecurityThe repository `MAY` use reusable workflows or central workflow templates to reduce drift.
AIC-third-party-action-pinningMAYL1§8 CI/CD workflow hardening SecurityRepositories `MAY` SHA-pin third-party GitHub Actions when the threat model justifies it — production-deploy workflows, high-stakes tokens, or compliance regimes that require bit-exact reproducibility — paired with an automated bumper such as Renovate or Dependabot that keeps the pins current. Tag-pinning with an active bumper is the readable default; SHA-pinning without a bumper is worse than tag-pinning because pins go stale and stop receiving security patches.
AIC-threat-model-artifactMUST·whenL1§9 Threat modeling and security design review SecurityThreat modeling `MUST` produce a durable artifact identifying assets, trust boundaries, entry points, and likely attacker paths. A verbal agreement does not satisfy this requirement.
AIC-threat-model-requiredMUST·whenL1§9 Threat modeling and security design review SecurityInternet-facing, multi-tenant, regulated, or high-impact systems `MUST` undergo threat modeling or security design review.
AIC-threat-model-review-dateMUST·whenL1§9 Threat modeling and security design review SecurityRepositories subject to this requirement `MUST` record when the threat model was last reviewed.
AIC-threat-model-revisitSHOULDL1§9 Threat modeling and security design review SecurityThreat models `SHOULD` be revisited when authentication, deployment, storage, or trust boundaries change.
AIC-threat-model-lightweightMAYL1§9 Threat modeling and security design review SecurityLower-risk repositories `MAY` satisfy this requirement with lightweight design review rather than heavyweight formal exercises.
AIC-invariants-documentedMUSTL1§10 Runtime validation and invariants Quality & ReliabilityCritical invariants `MUST` be documented in one authoritative place.
AIC-invariants-executableMUSTL1§10 Runtime validation and invariants Quality & ReliabilityCritical invariants `MUST` be executable through tests, assertions, or validators wherever practical.
AIC-input-validationMUSTL1§10 Runtime validation and invariants Quality & ReliabilityExternal inputs, configuration, and machine-readable product metadata `MUST` be validated before use.
AIC-fail-fast-diagnosticsSHOULDL1§10 Runtime validation and invariants Quality & ReliabilityThe repository `SHOULD` fail fast on invalid inputs and emit actionable diagnostics.
AIC-structural-vs-semantic-validationSHOULDL1§10 Runtime validation and invariants Quality & ReliabilityValidation layers `SHOULD` separate structural validity from semantic validity.
AIC-non-fatal-warning-downgradeMAYL1§10 Runtime validation and invariants Quality & ReliabilityThe repository `MAY` downgrade suspicious but non-fatal states to warnings if the product can continue safely.
AIC-coverage-as-minimumMUST·whenL1§11 Testing strategy Quality & ReliabilityCoverage thresholds `MUST` exist if the team uses coverage as a guardrail, and those thresholds `MUST` be treated as a minimum rather than a target.
AIC-critical-behavior-testedMUSTL1§11 Testing strategy Quality & ReliabilityCritical business behavior `MUST` be covered by automated tests.
AIC-multiple-test-layersMUSTL1§11 Testing strategy Quality & ReliabilityThe repository `MUST` use multiple test layers rather than relying on a single style of testing.
AIC-excluded-suites-documentedSHOULDL1§11 Testing strategy Quality & ReliabilityEnvironment-specific or excluded test suites `SHOULD` be explicitly documented.
AIC-e2e-built-artifactSHOULDL1§11 Testing strategy Quality & ReliabilityEnd-to-end and acceptance tests `SHOULD` execute against the same artifact the repository ships (for example the production build output, a built container image, or the published package), not the development server alone. Bundling, tree-shaking, asset rewriting, and environment-variable inlining produce divergence between dev and prod that only appears when the built artifact is exercised.
AIC-test-strength-independentSHOULDL1§11 Testing strategy Quality & ReliabilityWhere coverage is used as a gate, the repository `SHOULD` assess test-suite strength through an independent mechanism such as mutation testing, property-based tests, or independent review. Coverage alone does not distinguish effective assertions from ones that pass trivially.
AIC-test-network-isolationSHOULDL1§11 Testing strategy Quality & ReliabilityTest environments `SHOULD` be deterministic where possible. Tests at the integration and end-to-end layers `SHOULD NOT` reach live external networks or shared production-like services by default; they `SHOULD` run against in-process mocks, recorded fixtures, or sandboxed substitutes, with any deviation explicitly opted in. Network nondeterminism amplifies AI-generated flakiness and erodes the signal of every gate that depends on the suite.
AIC-tests-colocatedSHOULDL1§11 Testing strategy Quality & ReliabilityTests `SHOULD` be located close to the code they protect.
AIC-fuzzing-parsersMAYL1§11 Testing strategy Quality & ReliabilityParser-heavy or security-sensitive components `MAY` use fuzzing to surface input-domain failures that example-based tests routinely miss.
AIC-risk-based-test-selectionMAYL1§11 Testing strategy Quality & ReliabilityThe repository `MAY` use differential or risk-based test selection in CI if the full quality bar remains intact before release.
AIC-a11y-component-checksMUST·whenL1§12 Accessibility Quality & ReliabilityShared UI components `MUST` be checked for serious accessibility failures.
AIC-a11y-review-testingMUST·whenL1§12 Accessibility Quality & ReliabilityAccessibility expectations for semantics, focus, and labeling `MUST` be part of normal review and testing.
AIC-a11y-helpersSHOULDL1§12 Accessibility Quality & ReliabilityThe repository `SHOULD` provide shared accessibility test helpers.
AIC-a11y-keyboard-focusSHOULDL1§12 Accessibility Quality & ReliabilityKeyboard behavior and focus management `SHOULD` be covered where interaction complexity warrants it.
AIC-a11y-extra-gatesMAYL1§12 Accessibility Quality & ReliabilityThe repository `MAY` enforce additional accessibility gates such as motion, contrast, or localization-specific checks.
AIC-failure-handling-explicitMUST·whenL1§13 Failure handling and observability Quality & ReliabilityProduction code `MUST` handle failure explicitly, not only through happy-path logic.
AIC-retries-backoff-deliberateMUST·whenL1§13 Failure handling and observability Quality & ReliabilityRetries, backoff, and fallback behavior `MUST` be deliberate where transient failure is expected.
AIC-observability-redactionMUST·whenL1§13 Failure handling and observability Quality & ReliabilityWhen the repository operates a service, app, worker, proxy, or production runtime that emits logs, telemetry, traces, or error reports, observability outputs `MUST` redact secrets, credentials, and personally identifiable information, and `MUST` avoid leaking unnecessary personal data. §22 extends this requirement to AI-specific surfaces such as prompts, agent transcripts, and tool outputs.
AIC-alert-ownershipSHOULDL1§13 Failure handling and observability Quality & ReliabilityIt `SHOULD` provide clear ownership for alerts, logs, and operational visibility.
AIC-preserve-user-workSHOULDL1§13 Failure handling and observability Quality & ReliabilityIt `SHOULD` preserve user work locally or durably when silent data loss would be unacceptable.
AIC-structured-error-patternsSHOULDL1§13 Failure handling and observability Quality & ReliabilityThe repository `SHOULD` define structured error handling patterns.
AIC-rich-diagnosticsMAYL1§13 Failure handling and observability Quality & ReliabilityThe repository `MAY` include richer diagnostic breadcrumbs, tracing, or client event telemetry where privacy and value justify it.
AIC-performance-budgetsMUST·whenL1§14 Performance and reliability Quality & ReliabilityUser-facing systems `MUST` define performance budgets if speed materially affects user experience.
AIC-reliability-expectationsMUST·whenL1§14 Performance and reliability Quality & ReliabilityServices and critical applications `MUST` define reliability expectations if downtime or latency materially affects users.
AIC-reliability-consequencesSHOULDL1§14 Performance and reliability Quality & ReliabilityReliability targets `SHOULD` have clear consequences or escalation paths when missed.
AIC-budgets-automatedSHOULDL1§14 Performance and reliability Quality & ReliabilityPerformance budgets `SHOULD` be measurable in automation.
AIC-slo-sli-error-budgetsMAYL1§14 Performance and reliability Quality & ReliabilityTeams `MAY` use SLOs, SLIs, error budgets, or equivalent models according to operational maturity.
AIC-release-dependency-identificationMUST·whenL1§15 Supply-chain transparency and artifact integrity ReleaseRepositories that publish artifacts `MUST` be able to identify what dependencies went into a release.
AIC-sbom-generationMUST·whenL1§15 Supply-chain transparency and artifact integrity ReleaseRepositories that publish artifacts to external consumers `MUST` generate an SBOM if the ecosystem and tooling support it reasonably.
AIC-build-immutable-refsSHOULDL1§15 Supply-chain transparency and artifact integrity ReleaseSource, build instructions, and outputs `SHOULD` be linked through immutable references where practical.
AIC-build-provenance-attestationSHOULDL1§15 Supply-chain transparency and artifact integrity ReleaseRepositories `SHOULD` provide provenance or attestations when downstream consumers need build trust.
AIC-release-from-ciSHOULDL1§15 Supply-chain transparency and artifact integrity ReleasePublished artifacts `SHOULD` be built from CI rather than developer workstations.
AIC-artifact-signingMAYL1§15 Supply-chain transparency and artifact integrity ReleaseRepositories `MAY` sign artifacts, verify attestations downstream, or adopt stronger supply-chain frameworks when their distribution model warrants it.
AIC-policy-enforcement-admission-controlMAYL1§15 Supply-chain transparency and artifact integrity ReleaseRepositories `MAY` enforce admission control or attestation verification in downstream deployment environments so unsigned or unprovenanced artifacts cannot run.
AIC-default-branch-protectedMUSTL1§16 Branch protection, ownership, and release governance ReleaseThe default branch `MUST` be protected.
AIC-required-checks-and-reviewsMUSTL1§16 Branch protection, ownership, and release governance ReleaseRequired checks and required reviews `MUST` be enabled for protected branches.
AIC-risky-change-ownershipMUSTL1§16 Branch protection, ownership, and release governance ReleaseRisky or sensitive changes `MUST` have clear ownership.
AIC-sensitive-path-ownershipMUST·whenL1§16 Branch protection, ownership, and release governance ReleaseRepositories `MUST` identify sensitive paths — for example, authentication and authorization code, CI/CD workflow files, deployment configuration, dependency manifests, and policy documents — and define path-level ownership for them when platform support exists.
AIC-human-review-requiredMUSTL1§16 Branch protection, ownership, and release governance ReleaseRequired-review approvals on protected branches `MUST` come from human reviewers; bot or agent accounts `MUST NOT` satisfy required-review counts and `MUST NOT` merge their own pull requests.
AIC-vuln-disclosure-pathMUST·whenL1§16 Branch protection, ownership, and release governance ReleasePublic or externally consumed repositories `MUST` provide a vulnerability disclosure path such as `SECURITY.md`.
AIC-codeowners-coverageSHOULDL1§16 Branch protection, ownership, and release governance ReleasePath-level ownership `SHOULD` cover auth, infrastructure, workflow, deployment, and policy files (for example, a `CODEOWNERS` file on platforms that support it).
AIC-codeowners-self-ownedSHOULDL1§16 Branch protection, ownership, and release governance ReleaseThe ownership manifest itself `SHOULD` have an owner.
AIC-deployment-separationSHOULDL1§16 Branch protection, ownership, and release governance ReleasePreview and production deployments `SHOULD` be separated.
AIC-merge-queue-policy-layersMAYL1§16 Branch protection, ownership, and release governance ReleaseThe repository `MAY` add merge queues, release trains, or additional policy layers for high-throughput teams.
AIC-ai-forbidden-actionsMUSTL2§17 AI operating model AI AgentsIt `MUST` identify actions the AI is not allowed to perform automatically.
AIC-ai-instruction-boundariesMUSTL2§17 AI operating model AI AgentsIt `MUST` define architectural boundaries, coding conventions, non-negotiable invariants, and approval requirements.
AIC-ai-instruction-coverageMUSTL2§17 AI operating model AI AgentsThat instruction source `MUST` describe how to build, test, lint, run, review, contribute, and determine when a change is ready to merge.
AIC-ai-instruction-authoritativeMUSTL2§17 AI operating model AI AgentsThe repository `MUST` provide one authoritative, versioned instruction source for AI agents.
AIC-tool-specific-pointer-onlyMUSTL2§17 AI operating model AI AgentsThe path of the authoritative source `MUST` be documented in `CONTRIBUTING.md` or `README.md` so contributors and AI tools can resolve it without guessing. Any tool-specific instruction files that exist alongside it `MUST` contain only a pointer to the authoritative source — they `MUST NOT` re-declare or contradict its content.
AIC-ai-instructions-discoverableSHOULDL2§17 AI operating model AI AgentsIt `SHOULD` keep AI-facing instructions concise, current, and linked from contributor documentation. As a working ceiling, the authoritative instruction source `SHOULD` stay under roughly 300 lines: longer files stop being read end-to-end by either humans or model context windows, and the seven coverage areas in `AIC-ai-instruction-coverage` collapse into prose rather than scannable rules. Push detail into linked policy docs rather than growing the instruction file.
AIC-ai-workflow-standardizationSHOULDL2§17 AI operating model AI AgentsThe repository `SHOULD` standardize common AI workflows such as implementation, review, PR preparation, release preparation, and incident fix handling.
AIC-ai-task-templatesMAYL2§17 AI operating model AI AgentsThe repository `MAY` provide specialized task templates or commands for recurring workflows.
AIC-scoped-ai-instructionsMAYL2§17 AI operating model AI AgentsMulti-package repositories `MAY` add path-scoped instruction files in subdirectories so rules that apply to only one package live next to the code they govern. Path-scoped files `MUST` extend the root authoritative source, `MUST NOT` contradict it, and `MUST NOT` re-declare approval boundaries or forbidden actions — the root file remains authoritative for those.
AIC-shared-skills-versionedMUST·whenL2§18 Skills and shared workflow modules AI AgentsRepositories that use shared skills, slash commands, or reusable AI workflow modules `MUST` version them in the repository.
AIC-skill-code-reviewMUST·whenL2§18 Skills and shared workflow modules AI AgentsShared skills `MUST` be reviewed like code when they can change files, invoke tools, affect releases, or alter external systems.
AIC-skill-contract-definedMUST·whenL2§18 Skills and shared workflow modules AI AgentsShared skills `MUST` define their purpose, expected inputs, expected outputs, and meaningful side effects.
AIC-skill-no-secretsMUST·whenL2§18 Skills and shared workflow modules AI AgentsShared skills `MUST NOT` contain secrets, tokens, or environment-specific credentials.
AIC-skill-shared-vs-personalSHOULDL2§18 Skills and shared workflow modules AI AgentsRepositories `SHOULD` separate project-shared skills from personal-only helpers.
AIC-skill-usage-examplesSHOULDL2§18 Skills and shared workflow modules AI AgentsShared skills `SHOULD` include usage examples for high-risk or non-obvious workflows.
AIC-skill-domain-groupingMAYL2§18 Skills and shared workflow modules AI AgentsRepositories `MAY` group skills by domain such as implementation, review, release, migration, or incident response.
AIC-skill-sample-fixturesMAYL2§18 Skills and shared workflow modules AI AgentsShared skills `MAY` include lightweight sample inputs or fixtures to make behavior easier to validate.
AIC-mcp-allowlistMUST·whenL2§19 MCP servers and external tool governance AI AgentsRepositories that use MCP servers `MUST` explicitly approve which servers are allowed for team workflows.
AIC-mcp-owner-purposeMUST·whenL2§19 MCP servers and external tool governance AI AgentsEvery approved MCP server `MUST` have a defined owner and purpose.
AIC-mcp-auth-securityMUST·whenL2§19 MCP servers and external tool governance AI AgentsOAuth- or token-based MCP integrations `MUST` use secure token handling and redirect validation appropriate to the platform.
AIC-mcp-least-privilegeMUST·whenL2§19 MCP servers and external tool governance AI AgentsMCP tools and servers `MUST` use least privilege.
AIC-mcp-write-vs-read-distinguishableMUST·whenL2§19 MCP servers and external tool governance AI AgentsWrite-capable MCP servers `MUST` be distinguishable from read-only ones.
AIC-mcp-root-scopingMUST·whenL2§19 MCP servers and external tool governance AI AgentsFilesystem roots and other exposed resources `MUST` be scoped deliberately to approved workspaces or data sources.
AIC-mcp-auditabilitySHOULDL2§19 MCP servers and external tool governance AI AgentsTeams `SHOULD` be able to identify which external systems an AI agent can read or mutate through MCP.
AIC-mcp-env-separationSHOULDL2§19 MCP servers and external tool governance AI AgentsDev, staging, and production MCP connectors `SHOULD` be separated when they touch operational systems.
AIC-mcp-pinned-versionsSHOULDL2§19 MCP servers and external tool governance AI AgentsMCP servers `SHOULD` be pinned to known versions or controlled deployment channels where possible.
AIC-mcp-prompt-reviewSHOULDL2§19 MCP servers and external tool governance AI AgentsMCP prompts exposed as slash commands `SHOULD` be reviewed before being relied on operationally.
AIC-mcp-read-only-defaultSHOULDL2§19 MCP servers and external tool governance AI AgentsTeams `SHOULD` prefer read-only MCP access by default.
AIC-mcp-root-promptSHOULDL2§19 MCP servers and external tool governance AI AgentsUsers `SHOULD` be prompted before exposing roots or other sensitive resources to MCP servers.
AIC-mcp-extra-sandboxingMAYL2§19 MCP servers and external tool governance AI AgentsTeams `MAY` apply additional sandboxing, network isolation, or execution controls to third-party MCP servers.
AIC-mcp-registry-discoveryMAYL2§19 MCP servers and external tool governance AI AgentsTeams `MAY` use the official MCP Registry for discovery, but they remain responsible for server vetting.
AIC-agent-parallel-isolationMUST·whenL2§20 Agents and delegation governance AI AgentsParallel agents `MUST NOT` edit overlapping files unless the workflow explicitly defines coordination for that case.
AIC-agent-permission-limitsMUST·whenL2§20 Agents and delegation governance AI AgentsAgents `MUST` have explicit tool, write, and approval limits.
AIC-agent-quality-gatesMUST·whenL2§20 Agents and delegation governance AI AgentsAgent-produced changes `MUST` pass the same quality gates as any other code contribution.
AIC-agent-scope-definedMUST·whenL2§20 Agents and delegation governance AI AgentsRepositories that use autonomous or delegated agents `MUST` define agent roles, scope boundaries, ownership, and success conditions.
AIC-agent-action-traceabilityMUST·whenL2§20 Agents and delegation governance AI AgentsEvery material agent action `MUST` produce a record with, at minimum: agent identity, model identifier and model-version ID, prompt or skill version, ISO 8601 timestamp with seconds, and action category (read / write / merge / deploy / settings-change / external-call). The record location `MUST` be the same one documented for `AIC-prompt-audit-trail`. The record `MUST` be queryable: an auditor `MUST` be able to list material actions by agent, action category, or time range with one command or API query. Prose-only attribution ("our agents log to Linear") does not satisfy this rule.
AIC-agent-bounded-delegationSHOULDL2§20 Agents and delegation governance AI AgentsDelegation `SHOULD` be limited to bounded, well-scoped tasks.
AIC-agent-escalation-trigger-enforcementMUST·whenL2§20 Agents and delegation governance AI AgentsRepositories that operate an autonomous runner `MUST` define and enforce escalation triggers before the runner performs destructive, security-sensitive, release-affecting, high-volume, or repeatedly failing actions. The triggers `MUST` include per-window action limits, a named escalation owner, and a response expectation or SLA for paused work.
AIC-agent-kill-switchMUST·whenL2§20 Agents and delegation governance AI AgentsRepositories that operate an autonomous runner (any agent that can merge, deploy, release, rotate settings, or otherwise act without per-change human approval) `MUST` provide a kill switch: a single documented action that immediately halts the runner, by both disabling its execution path (workflow, scheduled job, agent harness) and revoking or expiring the runner's credentials so a residual process cannot continue acting. The kill switch `MUST` be exercisable without a code change to the repository. This complements `AIC-agent-cost-ceiling`, which addresses cost runaway; this clause addresses content runaway.
AIC-agent-escalation-pathsSHOULDL2§20 Agents and delegation governance AI AgentsTeams `SHOULD` define escalation paths for uncertainty around security, production systems, data handling, or architecture changes.
AIC-agent-standard-rolesSHOULDL2§20 Agents and delegation governance AI AgentsTeams `SHOULD` define standard agent roles such as implementer, reviewer, researcher, or release helper.
AIC-agent-rollback-procedureMUST·whenL2§20 Agents and delegation governance AI AgentsRepositories that operate an autonomous runner `MUST` document a rollback procedure for content the runner has already merged, deployed, or released. The procedure `MUST` rely on the authorship-traceability mechanism from `AIC-ai-authorship-traceability` so that runner-authored commits, releases, or settings changes are mechanically identifiable for revert without manual archaeology. Incident response (§29) may invoke this procedure.
AIC-agent-structured-outputsSHOULDL2§20 Agents and delegation governance AI AgentsAgent outputs `SHOULD` be structured enough for safe handoff between agents and humans.
AIC-agent-versioned-instructionsSHOULDL2§20 Agents and delegation governance AI AgentsAgents `SHOULD` rely on repository-versioned instructions rather than hidden session state.
AIC-agent-benchmarkingMAYL2§20 Agents and delegation governance AI AgentsTeams `MAY` benchmark agent roles on representative tasks.
AIC-agent-extra-sandboxingMAYL2§20 Agents and delegation governance AI AgentsTeams `MAY` apply stronger sandboxing to higher-risk agents.
AIC-agent-trust-tiersMAYL2§20 Agents and delegation governance AI AgentsTeams `MAY` define trust tiers such as read-only, code-write, or release-capable agents.
AIC-ai-context-retentionMUST·whenL2§21 AI-specific risks AI RiskRepositories that retain AI conversation context, tool outputs, or training-adjacent data `MUST` state retention limits and sanitization rules.
AIC-ai-dependency-verificationMUST·whenL2§21 AI-specific risks AI RiskRepositories whose AI workflows can introduce dependencies `MUST` define how those dependency additions are verified before use, including whether the package exists in the canonical registry and who owns it.
AIC-ai-provider-allowlistMUST·whenL2§21 AI-specific risks AI RiskRepositories that route work to external AI providers or models `MUST` maintain an explicit allowlist. Each entry `MUST` record its approval scope — permitted data classifications (consistent with §22) and action categories (read-only research, code authoring, release-affecting automation). Agent workflows `MUST NOT` route outside the allowlist.
AIC-capability-scopingMUST·whenL2§21 AI-specific risks AI RiskRepositories that deploy agents exposed to untrusted input `MUST` apply capability scoping: the agent's tool, read, and write capabilities `MUST` be constrained at the permission layer based on the user's requested task, not by model self-policing. A read-only task `MUST NOT` run with write, send, or external-call capabilities enabled.
AIC-non-english-filter-coverageMUST·whenL2§21 AI-specific risks AI RiskRepositories whose AI-exposed surfaces serve users in languages other than English `MUST` verify that any pattern-filter or LLM-filter guardrail claimed as a control has coverage in those languages, or `MUST` record the control's scope as English-only.
AIC-risk-matched-controlsMUST·whenL2§21 AI-specific risks AI RiskControls claimed as mitigation for a specific risk class (for example prompt injection, data exfiltration, PII leakage, training-data reproduction, copyrighted-material reproduction, profanity, or toxicity) `MUST` be evaluated against that risk class. Effectiveness against a different class does not transfer without evidence. Static-benchmark results against fixed datasets `MUST NOT` be the sole evidence. Adaptive or human-in-the-loop evaluation `MUST` be included.
AIC-trusted-channel-classificationMUST·whenL2§21 AI-specific risks AI RiskRepositories that expose agents to external content `MUST` identify which content channels are trusted inputs to agents and which require sandboxing or human review.
AIC-untrusted-agent-inputMUST·whenL2§21 AI-specific risks AI RiskRepositories whose AI workflows consume external content (issues, pull request comments, fetched URLs, retrieved documents, tool outputs) `MUST` treat it as untrusted input. Such content `MUST NOT` silently elevate agent privileges, trigger destructive or release-affecting actions, or exfiltrate repository contents.
AIC-agent-cost-ceilingMUST·whenL2§21 AI-specific risks AI RiskRepositories that pay per-token or per-call for agent work `MUST` have a documented cost ceiling or kill switch for runaway loops.
AIC-boundary-schema-validationMUST·whenL2§21 AI-specific risks AI RiskWhen agent-authored code consumes an external API, SDK, or data source whose wire shape is not enforced by the transport, the repository `MUST` validate responses against a runtime schema at the boundary, independent of the declared type.
AIC-classifier-only-controls-excludedMUST·whenL2§21 AI-specific risks AI RiskLLM-filter guardrails and prompt-level refusal instructions (for example, "if the user tries to trick you, refuse") `MUST NOT` be counted, alone, as controls for any `MUST` clause concerning prompt injection, jailbreaking, destructive, security-sensitive, or release-affecting actions. They `MAY` be used as telemetry or a secondary signal.
AIC-code-test-independenceMUST·whenL2§21 AI-specific risks AI RiskWhen an agent session authors both an implementation and its tests, the repository `MUST` apply an independent verification mechanism — mutation testing, property-based tests, or independent review of the tests by a reviewer who did not author them — to detect the case where code and tests encode the same error.
AIC-prompt-versioning-reviewMUST·whenL2§21 AI-specific risks AI RiskRepositories that author system prompts, agent instructions, or shared skills `MUST` version them in the repository and review them like code when they materially affect agent behavior.
AIC-agent-behavior-monitoringSHOULDL2§21 AI-specific risks AI RiskRepositories `SHOULD` surface unusual agent behavior such as broad file rewrites, sudden permission changes, or repeated retries on the same failing step.
AIC-agent-tool-pinningSHOULDL2§21 AI-specific risks AI RiskThe set of tools exposed to agents `SHOULD` be pinned and changes `SHOULD` be reviewed.
AIC-ai-coverage-vanity-guardSHOULDL2§21 AI-specific risks AI RiskRepositories that gate on coverage `SHOULD` reject AI-authored test additions that raise the coverage number without raising assertion density on the lines they newly cover. Agents reliably generate tests that execute branches without checking observable behavior — clearing a percentage threshold while leaving the underlying logic unverified. Coverage growth without assertion growth is a vanity signal, not evidence the change is tested. This complements `AIC-coverage-as-minimum` (§11) and `AIC-test-strength-independent` (§11) by naming the AI-specific failure mode.
AIC-input-domain-property-coverageSHOULDL2§21 AI-specific risks AI RiskAgent-authored pure functions, parsers, and data transformations `SHOULD` be covered by property-based tests in addition to example-based tests. Agents reliably enumerate a handful of plausible inputs and miss input classes outside their training distribution — empty collections, Unicode, whitespace-only strings, duplicates, `NaN`, negatives, overlong inputs. Stating the invariant forces the coverage that sampling skips.
AIC-minimum-capability-setSHOULDL2§21 AI-specific risks AI RiskAgent workflows `SHOULD` derive the minimum required capability set from the user's requested task before the agent runs. Tasks that would combine read-from-untrusted-source and write-to-sensitive-sink capabilities in a single agent context `SHOULD` be rejected without an explicit approval step.
AIC-agent-isolated-workspacesMAYL2§21 AI-specific risks AI RiskRepositories `MAY` run agents in isolated workspaces, containers, or sandboxes when the blast radius of a mistake would be large.
AIC-model-output-attestationMAYL2§21 AI-specific risks AI RiskRepositories `MAY` adopt model-output attestation or signing as agent-provenance tooling matures.
AIC-ai-data-classificationMUSTL2§22 Data protection and privacy AI RiskRepositories `MUST` classify the data that flows through AI agents and tools: source code, secrets, customer data, regulated data, telemetry.
AIC-regulated-data-provider-gateMUST·whenL2§22 Data protection and privacy AI RiskRepositories whose AI workflows can expose regulated or secret data to provider context windows `MUST` prevent that data from entering any provider that is not explicitly approved for that data class.
AIC-ai-surface-redactionMUSTL2§22 Data protection and privacy AI RiskSecrets, credentials, and personally identifiable information `MUST` be redacted from AI-specific surfaces (prompts, agent transcripts, tool outputs, and AI-related error reports), extending the observability requirements of §13 to AI workflows.
AIC-data-residency-verifiedMUST·whenL2§22 Data protection and privacy AI RiskRepositories with data-residency requirements `MUST` verify that AI providers, MCP servers, and external tools respect those requirements.
AIC-regulated-data-controlsMUST·whenL2§22 Data protection and privacy AI RiskRepositories handling regulated data (health, finance, government, minors, and similar) `MUST` document the legal basis and controls for sending any such data to AI providers or external tools.
AIC-ai-fixturesSHOULDL2§22 Data protection and privacy AI RiskRepositories `SHOULD` provide a safe, scrubbed fixture set for AI workflows that would otherwise require real data.
AIC-ai-prod-data-readonlySHOULDL2§22 Data protection and privacy AI RiskAccess to production data through AI workflows `SHOULD` be read-only unless a write path is explicitly designed and approved.
AIC-data-minimization-techniquesMAYL2§22 Data protection and privacy AI RiskRepositories `MAY` adopt data minimization, synthetic-data generation, or differential-privacy techniques for AI workflows that require representative data.
AIC-human-approval-baselineMUSTL1§23 Human approval and manual checkpoints OversightThe repository `MUST` define which actions require explicit human confirmation. The baseline list `MUST` include every action that meets the Definitions of _destructive_, _security-sensitive_, or _release-affecting_; repositories may add more, but may not silently narrow these categories.
AIC-no-silent-destructive-actionsMUSTL1§23 Human approval and manual checkpoints OversightAI agents `MUST NOT` be allowed to silently perform destructive, security-sensitive, or release-affecting actions that the repository policy reserves for humans.
AIC-ai-authorship-disclosure-policyMUST·whenL1§23 Human approval and manual checkpoints OversightRepositories that accept contributions from outside the documented contributor group `MUST` publish a disclosure policy for materially AI-authored pull requests and `MUST` enforce it during intake review. The policy `MUST` define what "materially AI-authored" means for the repository, how authorship is declared in the pull request, and how missing or incorrect declarations are handled.
AIC-disclosure-evidenceSHOULDL1§23 Human approval and manual checkpoints OversightThe disclosure policy for materially AI-authored pull requests `SHOULD` specify the verification evidence expected — reproducible test output, screenshots of behavior, API traces, or equivalent — so reviewers can verify the change rather than re-generate it.
AIC-escalated-approval-categoriesSHOULDL1§23 Human approval and manual checkpoints OversightThe repository `SHOULD` escalate approval requirements for migrations, deployment changes, auth changes, or repository-wide rewrites.
AIC-human-approval-large-changesSHOULDL1§23 Human approval and manual checkpoints OversightHuman approval `SHOULD` be required before commit or push in workflows where AI can generate large or cross-cutting changes.
AIC-stronger-signoff-regulatedMAYL1§23 Human approval and manual checkpoints OversightTeams `MAY` add stronger sign-off requirements for regulated or high-impact systems.
AIC-authoritative-guardrail-docMUSTL1§24 Guardrail documentation and evidence OversightThe repository `MUST` document guardrails in one authoritative place.
AIC-gate-enforcementMUSTL1§24 Guardrail documentation and evidence OversightAn automated check `MUST NOT` be counted as enforcing a requirement from this document unless its failure blocks merge on the change path it evaluates. Jobs configured to continue on evaluation failure, or to otherwise mask non-zero results from the protected-branch status, `MUST` be labelled as advisory in the guardrail documentation.
AIC-guardrail-failure-surfaceMUSTL1§24 Guardrail documentation and evidence OversightIt `MUST` identify where each guardrail is defined and how failure is surfaced.
AIC-machine-vs-manual-guardrailsMUSTL1§24 Guardrail documentation and evidence OversightThat document `MUST` clearly state what is enforced automatically and what depends on review or process.
AIC-threshold-enforcementMUSTL1§24 Guardrail documentation and evidence OversightA threshold, budget, or limit declared in configuration `MUST NOT` be counted as an automatic guardrail unless an automated check evaluates it on every change path that claims it.
AIC-guardrail-active-evidenceSHOULDL1§24 Guardrail documentation and evidence OversightThe repository `SHOULD` maintain lightweight evidence that important guardrails are actually active, such as CI configuration, security settings, or documented repository policy.
AIC-guardrail-doc-maturity-mappingMAYL1§24 Guardrail documentation and evidence OversightTeams `MAY` map this document to maturity models or external standards if organizational compliance requires it.
AIC-policy-change-reviewMUSTL1§25 Policy governance OversightChanges to the adopted specification `MUST` go through the same review process as code, including required reviewers.
AIC-policy-living-documentMUSTL1§25 Policy governance OversightWhen a new AI-era risk becomes credible, the repository `MUST` decide whether to add or revise guardrails rather than treating the specification as frozen.
AIC-policy-owner-cadenceMUSTL1§25 Policy governance OversightThe adopted specification itself `MUST` have a named owner and a documented review cadence.
AIC-policy-effective-datesSHOULDL1§25 Policy governance OversightThe repository `SHOULD` record the effective date and last review date of the adopted specification.
AIC-policy-evidence-linksSHOULDL1§25 Policy governance OversightThe repository `SHOULD` link each checklist item to the specific automation, configuration, or review step that enforces it, so conformance is auditable in practice.
AIC-policy-external-mappingMAYL1§25 Policy governance OversightTeams `MAY` map this document to external standards or maturity frameworks when organizational compliance requires cross-referencing.
AIC-ai-authorship-traceabilityMUSTL2§26 AI-generated content: licensing and attribution OversightWhere the hosting platform or CI allows it, the repository `MUST` provide a way to identify materially AI-authored commits or pull requests after the fact — for example a commit trailer, PR label, or metadata field. The mechanism `MUST` be documented in the same place as the licensing declaration.
AIC-ai-output-licensing-declarationMUSTL2§26 AI-generated content: licensing and attribution OversightThe repository `MUST` declare its position on license and ownership for AI-generated content in a durable document (for example `CONTRIBUTING.md`, `LICENSING.md`, or the authoritative AI instruction file from §17). The declaration `MUST` say whether AI-generated code, documentation, and tests are accepted, and under what license they are contributed.
AIC-prompt-audit-trailMUST·whenL2§26 AI-generated content: licensing and attribution OversightRepositories where AI materially authors code that ships `MUST` record, for every material AI-generated change: the model identifier, the prompt or system-prompt version, and any skill version used. The record location (commit trailer, PR body field, release manifest, audit-log row, or equivalent) `MUST` be documented with the `AIC-ai-authorship-traceability` mechanism. The record `MUST` be queryable: an auditor `MUST` be able to list AI-authored changes by model, prompt version, or skill version with one command or API query. This makes `AIC-ai-authorship-traceability` concrete for L3+ and supports `AIC-agent-rollback-procedure`.
AIC-ai-model-provenanceSHOULDL2§26 AI-generated content: licensing and attribution OversightThe repository `SHOULD` record the model identifier on material AI-generated changes so provenance can be reconstructed if a downstream licensing question arises. Below L3 this remains a SHOULD; at L3+ it is covered by `AIC-prompt-audit-trail`.
AIC-licensing-disclosure-alignmentSHOULDL2§26 AI-generated content: licensing and attribution OversightThe repository `SHOULD` align its AI-authorship disclosure policy (§23) with the licensing declaration in this section so contributors see a single, consistent story for both attribution and legal status.
AIC-ai-input-retentionMAYL2§26 AI-generated content: licensing and attribution OversightThe repository `MAY` require contributors to retain prompts, tool outputs, or other inputs that produced material AI-generated changes for a defined period, where audit or regulatory needs justify it.
AIC-agent-credential-not-sole-approverMUST·whenL3§27 AI credential lifecycle OversightAn agent `MUST NOT` be the sole approver of a credential rotation or revocation that affects production systems or any sensitive sink. Approval `MUST` come from a human reviewer per §23.
AIC-agent-credential-auditMUST·whenL3§27 AI credential lifecycle OversightAgent-initiated credential creation, rotation, and revocation `MUST` produce a durable audit record naming the agent, the human approver (per §23), the credential class, and the scope of the change.
AIC-agent-credential-class-scopeMUST·whenL3§27 AI credential lifecycle OversightRepositories whose agents can create, rotate, or revoke credentials `MUST` enumerate which credential classes the agent is allowed to operate on. Agent operations on classes outside that enumeration `MUST NOT` be permitted.
AIC-agent-observed-credential-rotationSHOULDL3§27 AI credential lifecycle OversightRepositories `SHOULD` rotate any credential the agent demonstrably read from a transcript, tool output, or context window before continuing operations. The §22 redaction rules limit exposure; this rule treats observed exposure as a rotation trigger.
AIC-agent-credential-short-livedSHOULDL3§27 AI credential lifecycle OversightCredentials issued or rotated by an agent `SHOULD` be short-lived where the platform supports it, consistent with §8's deployment-credential rule.
AIC-agent-credential-distinct-identityMAYL3§27 AI credential lifecycle OversightRepositories `MAY` constrain agent credential operations to a separate role or harness identity distinct from the human-operator identity, so agent operations are distinguishable in audit logs.
AIC-allowlist-rescope-on-terms-changeMUST·whenL3§28 AI model and provider deprecation OversightWhen a vendor changes the data classifications or action categories an entry was approved for under §21 and §22, the entry's approval scope `MUST` be re-evaluated before agent workflows continue using it.
AIC-no-routing-past-eolMUST·whenL3§28 AI model and provider deprecation OversightAgent workflows `MUST NOT` continue routing to a deprecated or sunset entry past its end-of-life date without explicit re-approval recorded against the §21 allowlist.
AIC-provider-deprecation-procedureMUST·whenL3§28 AI model and provider deprecation OversightThe repository `MUST` define a procedure for evaluating an allowlist entry when the vendor announces deprecation, sunset, ownership change, or material terms-of-service change. The procedure `MUST` state who decides, on what evidence, and within what window.
AIC-provider-eol-trackedSHOULDL3§28 AI model and provider deprecation OversightThe repository `SHOULD` track the published end-of-life or deprecation status of allowlisted models and providers in the same place as the allowlist itself, so the dependency on third-party lifecycles is visible.
AIC-provider-fallback-pathSHOULDL3§28 AI model and provider deprecation OversightThe repository `SHOULD` plan a fallback path — an alternative allowlisted entry, a documented degradation mode, or an explicit pause of the affected workflow — before relying on a model or provider whose continuity is uncertain.
AIC-provider-deprecation-feedMAYL3§28 AI model and provider deprecation OversightRepositories `MAY` subscribe to vendor deprecation channels and surface notices in repository tooling rather than relying on out-of-band communication.
AIC-ai-incident-definitionMUST·whenL3§29 AI incident response and guardrail-update loop OversightRepositories that operate AI agents in production paths `MUST` define what counts as an AI-attributable incident, who triages it, and what evidence is preserved.
AIC-ai-incident-reviewMUST·whenL3§29 AI incident response and guardrail-update loop OversightAfter an AI-attributable incident, the repository `MUST` run a review that identifies the agent action that caused the harm, the control that should have prevented it, and whether that control existed, was bypassed, or was missing.
AIC-incident-guardrail-updateMUST·whenL3§29 AI incident response and guardrail-update loop OversightIf the incident review identifies a missing or weakened control, the guardrail documentation under §24 `MUST` be updated to reflect the new or strengthened control before similar agent work resumes.
AIC-incident-context-recordedSHOULDL3§29 AI incident response and guardrail-update loop OversightIncident reviews `SHOULD` record the model identifier, prompt or skill version, and tool set involved, consistent with `AIC-prompt-audit-trail` (§26, MUST when applicable for L3+) and `AIC-ai-model-provenance`, so the review is reproducible against the same operating context.
AIC-incident-evidence-lineageSHOULDL3§29 AI incident response and guardrail-update loop OversightRepositories `SHOULD` cross-link the incident record from the affected guardrail's evidence under §24, so future readers see the lineage from incident to control change.
AIC-incident-postmortem-cadenceMAYL3§29 AI incident response and guardrail-update loop OversightRepositories `MAY` operate a public or internal post-mortem cadence for AI-attributable incidents to share lessons across teams.

Why a separate catalog?

The prose specification (AI-CONTRIBUTOR-SPECIFICATION.md) is what humans read. The catalog is what machines read. Every clause, level, and rule appears in exactly one place — the catalog — and four downstream artifacts are generated from it on every release:

ProjectionPathAudience
specificationAI-CONTRIBUTOR-SPECIFICATION.mdHumans reading the spec.
checklist.ai-contributor-audit/AI-CONTRIBUTOR-CHECKLIST.mdAuditors filling out evidence rows.
coverageAI-CONTRIBUTOR-COVERAGE.mdAdopters planning their climb.
collectorRegistryskills/ai-contributor-audit/scripts/internal/collector-registry.tsThe audit runtime that fills evidence.

If you are building any tool that needs to know “which rules apply at L2”, “what’s the human-readable text of AIC-lockfile-committed”, or “is this a MUST or a SHOULD”, read the catalog. Never scrape the Markdown.

Top-level structure

The root document is a single object with nine required keys.

{
"$schema": "./AI-CONTRIBUTOR-RULE-CATALOG.schema.json",
"schemaVersion": "0.1",
"specVersion": "0.1.2",
"sourceOfTruth": "AI-CONTRIBUTOR-RULE-CATALOG.json",
"projections": { /* paths to the four generated artifacts */ },
"pillars": [ /* 7 entries */ ],
"levels": [ /* L0–L4 + a sentinel "—" Optional level */ ],
"clauses": [ /* 29 entries, indexed by number */ ],
"rules": [ /* one entry per stable AIC rule ID */ ]
}
FieldTypeNotes
$schemaconstAlways "./AI-CONTRIBUTOR-RULE-CATALOG.schema.json". Use this to validate.
schemaVersionconst "0.1"The shape of the file. Bumps independently of specVersion. See “Versioning” below.
specVersionstringSemVer of the spec content (e.g. 0.1.1). What clauses say.
sourceOfTruthconstSelf-identifier. Reminds tools the catalog is canonical, not the Markdown.
projectionsobjectPaths to the four generated files. Tools can verify a projection matches the catalog by re-running the generator.
pillarsarrayThe seven pillar headings, with icons and descriptions.
levelsarraySix entries: L0L4 plus the sentinel for rules that don’t gate any level.
clausesarray29 entries — each carries number, pillar, and title. Rules reference clauses by number.
rulesarrayThe atoms. One entry per stable AIC-* rule ID; checklist row metadata is nested on each rule.

The shape of a rule

Every entry in rules[] is a single stable AIC-* rule. The nested checklist object says which rendered checklist row the rule contributes to; several rule entries may share the same checklist row.

{
"id": "AIC-lockfile-committed",
"clause": 1,
"pillar": 1,
"scope": "MUST",
"level": "L0",
"text": "The dependency lockfile `MUST` be committed to version control.",
"checklist": {
"rule": "Pinned Toolchain",
"scope": "MUST",
"requirement": "Runtime version, package manager version, and lockfile are pinned."
},
"detectors": [
{
"id": "manual-review",
"kind": "manual",
"manualEvidence": "Review checklist row \"Pinned Toolchain\" and record current-run evidence."
}
],
"detectorConfidence": "manual"
}
FieldDomainNotes
id^AIC-[a-z0-9][a-z0-9-]*$Stable identifier. Treat as primary key. Within a major schema bump, IDs do not change meaning.
clauseinteger 1–29Reference into clauses[] by number.
pillarinteger 1–7Denormalised from clause for fast filtering.
scopeMUST · MUST when applicable · SHOULD · MAYRFC-2119-style obligation. MUST when applicable means the row’s applicability comes from the Profile.
levelL0L4 · The lowest level at which this rule is evaluated. means optional / never gates.
textstringThe normative sentence as it appears in the prose spec.
checklist.rulestringThe human-friendly row name in AI-CONTRIBUTOR-CHECKLIST.md; several rule IDs can share a row name.
checklist.requirementstringThe plain-English “what good looks like” that auditors fill evidence against. Together with checklist.rule and checklist.scope, this identifies the rendered checklist row.
detectors[]arrayHow automation can detect compliance. At least one detector is required.
detectorConfidenceindicative · manualindicative = automation can suggest a status; manual = a human is needed regardless.

Detector kinds

Each detector is one of two shapes (validated by oneOf in the schema):

// Detector A — handled by a typed routine in the audit runtime
{
"id": "clean-clone-bootstrap",
"kind": "collector-rule",
"path": "skills/ai-contributor-audit/scripts/internal/collector-registry.ts"
}
// Detector B — no automation possible; the auditor records evidence
{
"id": "manual-review",
"kind": "manual",
"manualEvidence": "Review checklist row \"X\" and record current-run evidence."
}

Tooling that wants to mirror what the official audit runtime does should look up the collector-rule’s id in the published collector registry. manual detectors are explicitly out-of-band — your tool can surface the manualEvidence string as a prompt.

Versioning: schemaVersion vs specVersion

Two version fields, two stability promises. Don’t conflate them.

  • schemaVersion — the JSON shape. Bumps when the structure of the catalog changes: fields added or removed, enum values changed, validation rules tightened. Tools parse against this. A schemaVersion bump means “your reader probably needs an update”.
  • specVersion — the content. Bumps when clauses, levels, or rules change meaning. Tools display this. A specVersion bump means “the rules your dashboard shows have changed” — the parser still works.

The stability promise

The catalog is stable within a minor release. Concretely:

Change kindWithin minor (e.g. 0.1.x)Minor bump (0.2)Major bump (1.0)
Add a new rulenoyesyes
Remove a rulenodeprecate firstyes
Rename a rule idnonoyes
Tighten scope (SHOULDMUST)noyesyes
Loosen scope (MUSTSHOULD)noyesyes
Move a rule’s levelnoyesyes
Edit a rule’s text (typos / clarification)yesyesyes
Add a new detector to an existing ruleyesyesyes
Add a new optional schema fieldnoyesyes
Change schemaVersionnoonly on shape changeyes

Bottom line: a tool pinned to a spec rev and a schema version is stable for the lifetime of that minor release. New rules and reclassifications wait for the next minor.

Consuming the catalog

Three patterns we see in the wild.

Pin and fetch

For dashboards, badges, and IDE integrations:

Terminal window
# Pin a tag, never main
SPEC_REV=v0.1.2
URL="https://raw.githubusercontent.com/ai-contributors/ai-contributor-spec/$SPEC_REV/AI-CONTRIBUTOR-RULE-CATALOG.json"
curl -sSL "$URL" -o catalog.json
jq -e '.schemaVersion == "0.1"' catalog.json # defensive check
jq -e '.specVersion == "0.1.2"' catalog.json

Vendor and validate

For tools that need to ship offline:

Terminal window
# Drop both files in your repo and validate at build time
ajv validate \
-s ./AI-CONTRIBUTOR-RULE-CATALOG.schema.json \
-d ./AI-CONTRIBUTOR-RULE-CATALOG.json

Filter for a level

The most common query — “what rules apply at L2?”:

Terminal window
# All rules evaluated at L2 (cumulative: L0 + L1 + L2)
jq '[.rules[] | select(.level | IN("L0","L1","L2"))] | length' catalog.json
# Just the MUSTs at L2
jq '[.rules[]
| select(.level | IN("L0","L1","L2"))
| select(.scope == "MUST")
| {id, clause, text}]' catalog.json

What you can build

  • An IDE inline-hint that surfaces the matching rule when a developer opens a file the audit flagged.
  • A Slack bot that posts the diff between two specVersions when the project bumps.
  • A second-source auditor in a different language — the schema is enough to round-trip the data model.
  • A “goals” dashboard showing how many rules a repo has closed, week-over-week.
  • A vendor-neutral badge service that validates a stamped audit.md against the catalog at the right rev.

If you build something with the catalog, open a PR adding it to CONTRIBUTING.md’s “Tools using the catalog” section.