Skip to main content

Detect when AI code changes exceed declared task scope (MCP server)

Project description

Over-Reach Detector (MCP server)

Detect and report when AI coding agents change files outside their declared task scope. Designed to plug into Cursor, Claude Code, and other MCP-compatible AI coding agents via the standard stdio transport.

Compares two things:

  1. Declared scope — the files (as fnmatch globs) and categories (tests, docs, infra, config, code) the task is allowed to touch.
  2. Actual diff — the files the AI actually modified.

If the actual diff exceeds the declared scope, the tool returns status=over_reach and lists the offending files and categories.

What this tool does and does not do

over-reach-detector is an audit/disclosure tool, not a sandbox and not a blocker.

It compares a declared task scope with the actual files/categories changed by an AI coding agent. If the actual changes exceed the declared scope, it reports that mismatch.

It does not prevent file writes by itself. It does not decide whether to revert, approve, or block a change. The caller remains responsible for enforcement, rollback, or human review.

Install

From PyPI:

pip install over-reach-detector

From source:

git clone https://github.com/choreoatlas/over_reach_detector
cd over_reach_detector
pip install -e .

Quick start

Run all tests: python -m pytest -v

Try the CLI directly: python -m over_reach_detector.detector --input fixtures/example_pr_1.json --format markdown

Use as MCP server

Start the server (stdio transport): over-reach-detector (or python -m over_reach_detector.server from source)

Register with your AI agent:

  • Cursor: in ~/.cursor/mcp.json, add (after pip install over-reach-detector):
{
  "mcpServers": {
    "over-reach-detector": {
      "command": "over-reach-detector"
    }
  }
}

Dev / from source: use "command": "python", "args": ["-m", "over_reach_detector.server"] (run from repo root).

  • Claude Code: after pip install over-reach-detector, run claude mcp add over-reach-detector over-reach-detector (writes to ~/.claude.json). Dev / from source: claude mcp add over-reach-detector /absolute/path/to/python -m over_reach_detector.server.

The tool

check_scope_tool takes:

  • declared_files: list of fnmatch globs (e.g. ["docs/*.md", "tests/*.py"])
  • declared_categories: subset of ["tests", "docs", "infra", "config", "code"]
  • actual_files: list of file paths the AI modified
  • output_format: "json" (default) or "markdown"

Returns a report with:

  • status: in_scope (within declared scope) | over_reach (reported mismatch) | empty
  • file_overreach: files not matching any declared glob
  • category_overreach: inferred categories outside the declared set

Scope discipline

Current scope: CLI + MCP stdio server + 1 tool. Python only. fnmatch-based globs.

Out of scope (forbidden): code quality review, security audit, completeness governance, languages other than Python, multi-tool MCP servers, HTTP/SSE transport, GitHub Actions integration. These are deliberately deferred to later versions or never.

Example usage

Call check_scope_tool directly from Python (same logic the MCP server exposes):

import json
from over_reach_detector import server

result = server.check_scope_tool(
    declared_files=["docs/*.md"],
    declared_categories=["docs"],
    actual_files=["docs/a.md", "scripts/extra.py"],
    output_format="json",
)

report = json.loads(result)
print(report["status"])          # "over_reach"
print(report["file_overreach"])  # ["scripts/extra.py"]

License

MIT — see LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

over_reach_detector-0.0.6.tar.gz (8.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

over_reach_detector-0.0.6-py3-none-any.whl (7.4 kB view details)

Uploaded Python 3

File details

Details for the file over_reach_detector-0.0.6.tar.gz.

File metadata

  • Download URL: over_reach_detector-0.0.6.tar.gz
  • Upload date:
  • Size: 8.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.3

File hashes

Hashes for over_reach_detector-0.0.6.tar.gz
Algorithm Hash digest
SHA256 6bd8d6bf7e149abe1621057990de2f70d92b243e0d22403e69cdb7affa99be3b
MD5 0c9438718e7d9931ae50674383e34563
BLAKE2b-256 742a933bbaaad90f3405178f8f2fa76f9f56b280c1c68bdae8221d1a0cf162d1

See more details on using hashes here.

File details

Details for the file over_reach_detector-0.0.6-py3-none-any.whl.

File metadata

File hashes

Hashes for over_reach_detector-0.0.6-py3-none-any.whl
Algorithm Hash digest
SHA256 e3a86b775f4ebc20d9ca22e9d6f8128e5a95cef34158e1682a923d007c4a9201
MD5 566f4f062a5a3bdf9d789292fc875308
BLAKE2b-256 b1121d7e22a4be620cbffdcb662255ac5e2f981c9ad3567c292f5d78f5f373b6

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page