Skip to main content

Detect when AI code changes exceed declared task scope (MCP server)

Project description

越权检测 — Authority Boundary Detector (MCP server)

mcp-name: io.github.choreoatlas/over-reach-detector

Detects when AI code changes exceed declared task scope. Designed to plug into Cursor, Claude Code, and other MCP-compatible AI coding agents via the standard stdio transport.

Compares two things:

  1. Declared scope — the files (as fnmatch globs) and categories (tests, docs, infra, config, code) the task is allowed to touch.
  2. Actual diff — the files the AI actually modified.

If the actual diff exceeds the declared scope, the tool returns status=over_reach and lists the offending files and categories.

Install

From PyPI:

pip install over-reach-detector

From source:

git clone https://github.com/choreoatlas/over_reach_detector
cd over_reach_detector
pip install -e .

Quick start

Run all tests: python -m pytest -v

Try the CLI directly: python -m over_reach_detector.detector --input fixtures/example_pr_1.json --format markdown

Use as MCP server

Start the server (stdio transport): over-reach-detector (or python -m over_reach_detector.server from source)

Register with your AI agent:

  • Cursor: in ~/.cursor/mcp.json, add (after pip install over-reach-detector):
{
  "mcpServers": {
    "over-reach-detector": {
      "command": "over-reach-detector"
    }
  }
}

Dev / from source: use "command": "python", "args": ["-m", "over_reach_detector.server"] (run from repo root).

  • Claude Code: after pip install over-reach-detector, run claude mcp add over-reach-detector over-reach-detector (writes to ~/.claude.json). Dev / from source: claude mcp add over-reach-detector /absolute/path/to/python -m over_reach_detector.server.

The tool

check_scope_tool takes:

  • declared_files: list of fnmatch globs (e.g. ["docs/*.md", "tests/*.py"])
  • declared_categories: subset of ["tests", "docs", "infra", "config", "code"]
  • actual_files: list of file paths the AI modified
  • output_format: "json" (default) or "markdown"

Returns a report with:

  • status: in_scope (safe) | over_reach (block) | empty
  • file_overreach: files not matching any declared glob
  • category_overreach: inferred categories outside the declared set

Scope discipline

Current scope: CLI + MCP stdio server + 1 tool. Python only. fnmatch-based globs.

Out of scope (forbidden): code quality review, security audit, completeness governance, languages other than Python, multi-tool MCP servers, HTTP/SSE transport, GitHub Actions integration. These are deliberately deferred to later versions or never.

Example usage

Call check_scope_tool directly from Python (same logic the MCP server exposes):

import json
from over_reach_detector import server

result = server.check_scope_tool(
    declared_files=["docs/*.md"],
    declared_categories=["docs"],
    actual_files=["docs/a.md", "scripts/extra.py"],
    output_format="json",
)

report = json.loads(result)
print(report["status"])          # "over_reach"
print(report["file_overreach"])  # ["scripts/extra.py"]

License

MIT — see LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

over_reach_detector-0.0.5.tar.gz (7.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

over_reach_detector-0.0.5-py3-none-any.whl (7.2 kB view details)

Uploaded Python 3

File details

Details for the file over_reach_detector-0.0.5.tar.gz.

File metadata

  • Download URL: over_reach_detector-0.0.5.tar.gz
  • Upload date:
  • Size: 7.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.3

File hashes

Hashes for over_reach_detector-0.0.5.tar.gz
Algorithm Hash digest
SHA256 d74909b79e071642cb7159aeffb9a068ce28bf2d32ca5013a2add2265e418859
MD5 374c8e20bb45be2a83cd51f96e3e635d
BLAKE2b-256 5f6f8234368c699315311a43e9596933357366712b4d96fb1730edb97f6d82fc

See more details on using hashes here.

File details

Details for the file over_reach_detector-0.0.5-py3-none-any.whl.

File metadata

File hashes

Hashes for over_reach_detector-0.0.5-py3-none-any.whl
Algorithm Hash digest
SHA256 43a1220c25db3bd1ee83785f14b28ecfc5213970f5dc84c9ad14ebfb0ee48dfd
MD5 292faea9b46b03ea9b4edee63cb77d58
BLAKE2b-256 c883e333e1568b8b06fe9fefcd2018b0f63b3d8b1ffb4bbec6ceb90e47bf6d87

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page