Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/yooh-an/agent-rules-auditor

Audit AI agent instruction files; optional $20 setup PR for CI safety gate.
https://github.com/yooh-an/agent-rules-auditor

agent-instructions agent-safety ai-agents claude-code codex cursor cursor-ai developer-tools github-actions security-tools

Last synced: about 1 month ago
JSON representation

Audit AI agent instruction files; optional $20 setup PR for CI safety gate.

Awesome Lists containing this project

README 

          
# Agent Rules Auditor



Audit AI coding-agent instruction files for risky or ambiguous rules.



This is a small open-source CLI for teams using Codex, Claude Code, Cursor, Gemini CLI, or other coding agents with repo-local instruction files.



Public repo: 



Landing page: 



Release: 



Buy the `$20` Pro Pack with PayPal: 



After payment, request delivery or a setup PR: 



Request a free public repo scan: 



Announcement and setup PR scope: 



Ask questions about the Pro Pack: 



Preview the paid bundle contents: [`PRO_PACK_PREVIEW.md`](PRO_PACK_PREVIEW.md)



Use the free GitHub Action: 



See the setup PR demo: [`examples/setup-pr-demo/`](examples/setup-pr-demo/)



Live setup PR demo: 



Setup PR option: 



Buyer FAQ: 



Delivery manifest: 



Public scan index with example findings from postgis, bpftrace, FastLED, and

other public instruction files:



Keyword landing pages:



- AGENTS.md audit: 

- Cursor rules audit: 

- Claude Code instructions audit: 



It scans:



- `AGENTS.md`

- `CLAUDE.md`

- `GEMINI.md`

- `RULES.md`

- `.cursorrules`

- `.cursor/rules/*.md`

- `.cursor/rules/*.mdc`



Instruction file names are matched case-insensitively, so `AGENTS.MD` and

`Agents.md` are scanned too.



It flags risky patterns such as:



- destructive commands without approval language

- force-push instructions

- secret exposure instructions

- remote-code execution patterns

- privileged commands

- attempts to override higher-priority instructions

- vague "fix everything" scope



## 30 Second Demo



Run the included unsafe sample:



```bash

PYTHONPATH=src python3 -m agent_rules_auditor.cli examples/unsafe/AGENTS.md --fail-on none

```



You should see findings for destructive commands, secret exposure, remote

execution, instruction override language, and vague scope.



The `examples/` directory is skipped during whole-repo audits so the demo file

does not make this repository fail its own check.



## Install



From this directory:



```bash

python3 -m pip install .

```



Install directly from GitHub:



```bash

python3 -m pip install "git+https://github.com/Yooh-an/agent-rules-auditor.git"

```



Install the current release:



```bash

python3 -m pip install "git+https://github.com/Yooh-an/agent-rules-auditor.git@v0.1.3"

```



For local development without installation:



```bash

PYTHONPATH=src python3 -m agent_rules_auditor.cli .

```



## Usage



Audit the current repo:



```bash

agent-rules-audit .

```



Return JSON:



```bash

agent-rules-audit . --json

```



Fail CI on warnings:



```bash

agent-rules-audit . --fail-on warn

```



Disable failing:



```bash

agent-rules-audit . --fail-on none

```



## GitHub Action



Use the free action in pull requests:



```yaml

name: Agent Rules Audit



on:

  pull_request:



jobs:

  audit-agent-rules:

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v4

      - uses: Yooh-an/agent-rules-auditor-action@v0.1.3

        with:

          fail-on: warn

```



See  for inputs and setup notes.



## Example Output



```text

Agent instruction audit: 1 finding(s)

errors=1 warnings=0 info=0



ERROR AGENTS.md:12 [destructive-command]

  Instruction mentions a destructive command.

  Excerpt: Run git reset --hard when tests fail.

  Fix: Require explicit user approval and a narrow path or target before destructive actions.

```



## Open Source Core



The CLI is MIT licensed.



The paid product is the `$20 Agent Rules Pro Pack`: a setup bundle for teams that want to add this to a repo quickly without writing policy and CI files from scratch.



For public GitHub repositories, the `$20` purchase can also include a setup PR

that adds the workflow, starter policy, Cursor rule, and PR checklist directly

to the buyer's repo.



The Pro Pack includes:



- strict `AGENTS.md` template

- dry-run-first setup script

- Cursor `.mdc` safety rule

- GitHub Actions workflow

- PR checklist text

- reviewer prompt for risky agent-rule diffs

- setup PR for public GitHub repos

- team rollout checklist

- sample audit report

- buyer onboarding email



See `PRO_PACK.md` for the sales page copy and delivery promise.



Use the free GitHub Action:



See `examples/setup-pr-demo/` for the concrete PR files a buyer can expect

when they request the public-repo setup PR option.



See the live setup PR demo:



See the setup PR option page:



Buy the `$20` Pro Pack with PayPal:



The GitHub Sponsor button is configured through `.github/FUNDING.yml` to point

to the same purchase and setup PR links.



After payment, open the purchase thread to request delivery or a setup PR:



For GitHub Action setup PR requests, you can also use:



See the announcement for the setup PR scope:



Use the Q&A discussion for pre-purchase questions:



Request a free scan for a public repository:



See `PURCHASE.md` for the structured purchase request form and delivery notes.



See `BUYER_FAQ.md` for what is included, how delivery works, and when not to

buy the pack.



See `DELIVERY_MANIFEST.md` for the current paid ZIP hash, included files, and

setup-script verification notes.



See `PUBLIC_SCAN_EXAMPLES.md` for concrete findings from public AGENTS.md and

Cursor rule files.



Use `checkout-setup.md` if you need to replace the PayPal link with another

checkout provider.



## Support And Contributing



- [`SUPPORT.md`](SUPPORT.md) explains where to file CLI bugs and paid delivery requests.

- [`CONTRIBUTING.md`](CONTRIBUTING.md) covers local development and pull requests.

- [`SECURITY.md`](SECURITY.md) defines the safe reporting scope.

- [`CODE_OF_CONDUCT.md`](CODE_OF_CONDUCT.md) defines basic project behavior.



## Run Tests



```bash

PYTHONPATH=src python3 -m unittest discover -s tests

```



If macOS Python cannot write bytecode caches:



```bash

PYTHONPYCACHEPREFIX=/private/tmp/agent-rules-pycache python3 -m compileall src tests

```