Stable rule vocabulary

AR001 through AR010 turn scanner findings into release-review language.

The rule codes are durable identifiers for CI gates, reports, remediation plans and exception reviews. Existing finding codes remain available for compatibility.

AR001 bounded writesAR002 confirmationAR003 destructive clarityAR004 bulk limitsAR005 sensitive dataAR006 previewAR007 scopeAR008 rollbackAR009 instructionsAR010 schema limits

Complete public rule coverage

Each entry below maps to docs/agentready/AGENTREADY_RULE_CODES.md and the current reference constants in agentready-core/types.js. Severity can vary when multiple current finding codes map to one rule; the table names the current highest or applicable severity range. Normative source document.

AgentReady public rule-code catalogue
RuleSource typeSeverityRisk detectedTrigger meaningRemediationLimitations
AR001_UNBOUNDED_WRITE_ACTIONUnbounded write action OpenAPI and MCP where current findings apply high A write, money movement, or externally visible action lacks bounded parameters. An amount, limit, quantity, price, discount, duration or similar field is accepted without a documented bound. Add minimum and maximum values, currency or unit constraints, closed sets and business limits. Current coverage follows implemented findings; it does not infer every dynamic business limit.
AR002_MISSING_CONFIRMATION_BOUNDARYMissing confirmation boundary OpenAPI and MCP critical A dangerous action lacks a documented human confirmation boundary. A dangerous action such as refund, pay, transfer, delete, send, export or cancel lacks preview, confirmation and verification guidance. Document preview, explicit human confirmation, execution and post-action verification. The scanner checks contract text and schema; it does not observe a live approval workflow.
AR003_DESTRUCTIVE_OPERATION_AMBIGUOUSDestructive operation ambiguous MCP in current implementation high A destructive or risky action is not described clearly enough for agent use. An MCP tool appears dangerous but its description does not explain the irreversible or external effect. Use precise descriptions that name the risky effect, target, confirmation and allowed use. Current public coverage is strongest for MCP dangerous-tool descriptions.
AR004_BULK_ACTION_WITHOUT_LIMITBulk action without limit OpenAPI and MCP where response structure is analyzable medium A collection, bulk, or large response operation lacks limits or structure. A list, export, bulk or collection response lacks pagination, size bounds or structured output. Add pagination, maximum limits, filters and response schemas designed for agent consumption. Runtime volume, permissions and tenant data are outside static detection.
AR005_SENSITIVE_DATA_EXPOSURESensitive data exposure OpenAPI and MCP high The tool may expose personal, financial, authentication or customer data. A contract exposes data classes that require least-privilege, redaction, pagination or boundary documentation. Document permission scope, redaction, pagination, data minimization and safe use boundaries. This is not a data protection audit or legal privacy certification.
AR006_MISSING_DRY_RUN_OR_PREVIEWMissing dry run or preview OpenAPI and MCP high or medium by finding A state-changing action lacks preview, success verification, or an equivalent safe check. A state-changing or irreversible operation lacks an explicit preview, dry run, idempotent check or verification path. Add preview endpoints, confirmation steps, post-action verification and clear success criteria. The scanner cannot prove that the runtime truly enforces the preview.
AR007_OVERBROAD_TOOL_SCOPEOverbroad tool scope OpenAPI and MCP high or medium by finding The tool scope or permission boundary is broader than an agent should receive. A tool exposes broad permissions, confusing context or capabilities beyond the task an agent needs. Separate narrow tools, document scopes, reduce permissions and make context boundaries explicit. Static analysis cannot inspect actual IAM grants or live authorization policy.
AR008_MISSING_IDEMPOTENCY_OR_ROLLBACKMissing idempotency or rollback OpenAPI and MCP where current findings apply medium The tool does not document corrective errors, retries, rollback or recovery behavior. Errors, retries or recovery behavior do not help an agent correct or safely retry a call. Document corrective errors, conflict handling, idempotency keys, retry guidance and recovery steps. Current public wording is broader than some implemented heuristics; treat as a contract-readiness signal.
AR009_UNCLEAR_AGENT_INSTRUCTIONSUnclear agent instructions OpenAPI and MCP medium The tool name, description, action type or usage instructions are unclear for agents. An operation or MCP tool is vague, missing usage boundaries or lacks output shape needed by an agent. Use stable names, business-context descriptions, when-to-use and when-not-to-use guidance, and output schemas. A clear contract can still be misused by a poorly controlled agent runtime.
AR010_MISSING_RATE_OR_SCOPE_LIMITMissing rate or scope limit OpenAPI and MCP medium or high by finding The tool contract lacks required fields, closed sets, schema constraints or scope limits. Input is too open, required fields are missing, or closed-set values are not encoded in schema. Add required fields, enums, structured input schemas, scoped parameters and explicit limits. This does not inspect live rate-limit enforcement unless it is expressed in the contract.

high / OpenAPI and MCP where current findings apply

AR001_UNBOUNDED_WRITE_ACTION

Unbounded write action

A write, money movement, or externally visible action lacks bounded parameters.

Current finding codes
unbounded_parameter
Trigger meaning
An amount, limit, quantity, price, discount, duration or similar field is accepted without a documented bound.
Remediation
Add minimum and maximum values, currency or unit constraints, closed sets and business limits.
Limitations
Current coverage follows implemented findings; it does not infer every dynamic business limit.

critical / OpenAPI and MCP

AR002_MISSING_CONFIRMATION_BOUNDARY

Missing confirmation boundary

A dangerous action lacks a documented human confirmation boundary.

Current finding codes
missing_human_confirmation_flow, dangerous_action_without_confirmation
Trigger meaning
A dangerous action such as refund, pay, transfer, delete, send, export or cancel lacks preview, confirmation and verification guidance.
Remediation
Document preview, explicit human confirmation, execution and post-action verification.
Limitations
The scanner checks contract text and schema; it does not observe a live approval workflow.

high / MCP in current implementation

AR003_DESTRUCTIVE_OPERATION_AMBIGUOUS

Destructive operation ambiguous

A destructive or risky action is not described clearly enough for agent use.

Current finding codes
mcp_dangerous_tool_weak_description
Trigger meaning
An MCP tool appears dangerous but its description does not explain the irreversible or external effect.
Remediation
Use precise descriptions that name the risky effect, target, confirmation and allowed use.
Limitations
Current public coverage is strongest for MCP dangerous-tool descriptions.

medium / OpenAPI and MCP where response structure is analyzable

AR004_BULK_ACTION_WITHOUT_LIMIT

Bulk action without limit

A collection, bulk, or large response operation lacks limits or structure.

Current finding codes
large_unstructured_response
Trigger meaning
A list, export, bulk or collection response lacks pagination, size bounds or structured output.
Remediation
Add pagination, maximum limits, filters and response schemas designed for agent consumption.
Limitations
Runtime volume, permissions and tenant data are outside static detection.

high / OpenAPI and MCP

AR005_SENSITIVE_DATA_EXPOSURE

Sensitive data exposure

The tool may expose personal, financial, authentication or customer data.

Current finding codes
sensitive_data_exposure
Trigger meaning
A contract exposes data classes that require least-privilege, redaction, pagination or boundary documentation.
Remediation
Document permission scope, redaction, pagination, data minimization and safe use boundaries.
Limitations
This is not a data protection audit or legal privacy certification.

high or medium by finding / OpenAPI and MCP

AR006_MISSING_DRY_RUN_OR_PREVIEW

Missing dry run or preview

A state-changing action lacks preview, success verification, or an equivalent safe check.

Current finding codes
irreversible_action, missing_success_verification
Trigger meaning
A state-changing or irreversible operation lacks an explicit preview, dry run, idempotent check or verification path.
Remediation
Add preview endpoints, confirmation steps, post-action verification and clear success criteria.
Limitations
The scanner cannot prove that the runtime truly enforces the preview.

high or medium by finding / OpenAPI and MCP

AR007_OVERBROAD_TOOL_SCOPE

Overbroad tool scope

The tool scope or permission boundary is broader than an agent should receive.

Current finding codes
overbroad_permission, agent_context_confusion
Trigger meaning
A tool exposes broad permissions, confusing context or capabilities beyond the task an agent needs.
Remediation
Separate narrow tools, document scopes, reduce permissions and make context boundaries explicit.
Limitations
Static analysis cannot inspect actual IAM grants or live authorization policy.

medium / OpenAPI and MCP where current findings apply

AR008_MISSING_IDEMPOTENCY_OR_ROLLBACK

Missing idempotency or rollback

The tool does not document corrective errors, retries, rollback or recovery behavior.

Current finding codes
non_corrective_error, missing_error_recovery
Trigger meaning
Errors, retries or recovery behavior do not help an agent correct or safely retry a call.
Remediation
Document corrective errors, conflict handling, idempotency keys, retry guidance and recovery steps.
Limitations
Current public wording is broader than some implemented heuristics; treat as a contract-readiness signal.

medium / OpenAPI and MCP

AR009_UNCLEAR_AGENT_INSTRUCTIONS

Unclear agent instructions

The tool name, description, action type or usage instructions are unclear for agents.

Current finding codes
unclear_operation_name, ambiguous_tool_description, missing_when_to_use, missing_when_not_to_use, unknown_action_type, mcp_vague_tool_name, mcp_missing_output_schema
Trigger meaning
An operation or MCP tool is vague, missing usage boundaries or lacks output shape needed by an agent.
Remediation
Use stable names, business-context descriptions, when-to-use and when-not-to-use guidance, and output schemas.
Limitations
A clear contract can still be misused by a poorly controlled agent runtime.

medium or high by finding / OpenAPI and MCP

AR010_MISSING_RATE_OR_SCOPE_LIMIT

Missing rate or scope limit

The tool contract lacks required fields, closed sets, schema constraints or scope limits.

Current finding codes
missing_enum, mcp_missing_input_schema, mcp_empty_input_schema, mcp_missing_required_fields
Trigger meaning
Input is too open, required fields are missing, or closed-set values are not encoded in schema.
Remediation
Add required fields, enums, structured input schemas, scoped parameters and explicit limits.
Limitations
This does not inspect live rate-limit enforcement unless it is expressed in the contract.

Severity model

  • critical means a dangerous action can cross a release gate when policy says critical findings fail.
  • high means agent misuse could cause external, sensitive, broad-scope or hard-to-reverse effects.
  • medium means the contract is ambiguous, under-specified or less corrective than an agent needs.
  • low means a lower-impact signal that still improves traceability or readiness.

Known coverage limits

Current rules are contract-level signals. They do not inspect live endpoints, live MCP servers, authorization grants, runtime tool construction, LLM decisions or production observability.

TimeProofs AgentReady does not guarantee that an AI agent will never fail. It identifies structural risks that may cause AI agents to misuse APIs, tools or MCP servers.