Over-Reach Detector

STDIOregistry active

Summary

Plugs into Cursor, Claude Code, or any MCP client over stdio and exposes a single tool, check_scope_tool, that compares declared task scope (fnmatch globs and category tags like tests, docs, config) against the files an AI agent actually modified. Returns in_scope, over_reach, or empty, listing any files or categories that exceeded the declared boundary. This is an audit layer, not enforcement. It reports the mismatch but doesn't block writes or roll back changes. You'd wire this into a workflow where you want an AI agent to declare its intended scope upfront, then verify afterwards whether it stayed within bounds before merging or deploying.

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Over-Reach Detector (MCP server)

Detect and report when AI coding agents change files outside their declared task scope. Designed to plug into Cursor, Claude Code, and other MCP-compatible AI coding agents via the standard stdio transport.

Compares two things:

Declared scope — the files (as fnmatch globs) and categories (tests, docs, infra, config, code) the task is allowed to touch.
Actual diff — the files the AI actually modified.

If the actual diff exceeds the declared scope, the tool returns status=over_reach and lists the offending files and categories.

What this tool does and does not do

over-reach-detector is an audit/disclosure tool, not a sandbox and not a blocker.

It compares a declared task scope with the actual files/categories changed by an AI coding agent. If the actual changes exceed the declared scope, it reports that mismatch.

It does not prevent file writes by itself. It does not decide whether to revert, approve, or block a change. The caller remains responsible for enforcement, rollback, or human review.

Install

From PyPI:

pip install over-reach-detector

From source:

git clone https://github.com/choreoatlas/over_reach_detector
cd over_reach_detector
pip install -e .

Quick start

Run all tests: python -m pytest -v

Try the CLI directly: python -m over_reach_detector.detector --input fixtures/example_pr_1.json --format markdown

Use as MCP server

Start the server (stdio transport): over-reach-detector (or python -m over_reach_detector.server from source)

Cursor: in ~/.cursor/mcp.json, add (after pip install over-reach-detector):

{
  "mcpServers": {
    "over-reach-detector": {
      "command": "over-reach-detector"
    }
  }
}

Dev / from source: use "command": "python", "args": ["-m", "over_reach_detector.server"] (run from repo root).

Claude Code: after pip install over-reach-detector, run claude mcp add over-reach-detector over-reach-detector (writes to ~/.claude.json). Dev / from source: claude mcp add over-reach-detector /absolute/path/to/python -m over_reach_detector.server.

The tool

check_scope_tool takes:

declared_files: list of fnmatch globs (e.g. ["docs/*.md", "tests/*.py"])
declared_categories: subset of ["tests", "docs", "infra", "config", "code"]
actual_files: list of file paths the AI modified
output_format: "json" (default) or "markdown"

Returns a report with:

status: in_scope (within declared scope) | over_reach (reported mismatch) | empty
file_overreach: files not matching any declared glob
category_overreach: inferred categories outside the declared set

Scope discipline

Current scope: CLI + MCP stdio server + 1 tool. Python only. fnmatch-based globs.

Out of scope (forbidden): code quality review, security audit, completeness governance, languages other than Python, multi-tool MCP servers, HTTP/SSE transport, GitHub Actions integration. These are deliberately deferred to later versions or never.

Example usage

Call check_scope_tool directly from Python (same logic the MCP server exposes):

import json
from over_reach_detector import server

result = server.check_scope_tool(
    declared_files=["docs/*.md"],
    declared_categories=["docs"],
    actual_files=["docs/a.md", "scripts/extra.py"],
    output_format="json",
)

report = json.loads(result)
print(report["status"])          # "over_reach"
print(report["file_overreach"])  # ["scripts/extra.py"]

License

MIT — see LICENSE.

Featured

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Over-Reach Detector (MCP server)

Compares two things:

Declared scope — the files (as fnmatch globs) and categories (tests, docs, infra, config, code) the task is allowed to touch.
Actual diff — the files the AI actually modified.

If the actual diff exceeds the declared scope, the tool returns status=over_reach and lists the offending files and categories.

What this tool does and does not do

over-reach-detector is an audit/disclosure tool, not a sandbox and not a blocker.

It compares a declared task scope with the actual files/categories changed by an AI coding agent. If the actual changes exceed the declared scope, it reports that mismatch.

It does not prevent file writes by itself. It does not decide whether to revert, approve, or block a change. The caller remains responsible for enforcement, rollback, or human review.

Install

From PyPI:

pip install over-reach-detector

From source:

git clone https://github.com/choreoatlas/over_reach_detector
cd over_reach_detector
pip install -e .

Quick start

Run all tests: python -m pytest -v

Try the CLI directly: python -m over_reach_detector.detector --input fixtures/example_pr_1.json --format markdown

Use as MCP server

Start the server (stdio transport): over-reach-detector (or python -m over_reach_detector.server from source)

Cursor: in ~/.cursor/mcp.json, add (after pip install over-reach-detector):

{
  "mcpServers": {
    "over-reach-detector": {
      "command": "over-reach-detector"
    }
  }
}

Dev / from source: use "command": "python", "args": ["-m", "over_reach_detector.server"] (run from repo root).

Claude Code: after pip install over-reach-detector, run claude mcp add over-reach-detector over-reach-detector (writes to ~/.claude.json). Dev / from source: claude mcp add over-reach-detector /absolute/path/to/python -m over_reach_detector.server.

The tool

check_scope_tool takes:

declared_files: list of fnmatch globs (e.g. ["docs/*.md", "tests/*.py"])
declared_categories: subset of ["tests", "docs", "infra", "config", "code"]
actual_files: list of file paths the AI modified
output_format: "json" (default) or "markdown"

Returns a report with:

status: in_scope (within declared scope) | over_reach (reported mismatch) | empty
file_overreach: files not matching any declared glob
category_overreach: inferred categories outside the declared set

Scope discipline

Current scope: CLI + MCP stdio server + 1 tool. Python only. fnmatch-based globs.

Example usage

Call check_scope_tool directly from Python (same logic the MCP server exposes):

import json
from over_reach_detector import server

result = server.check_scope_tool(
    declared_files=["docs/*.md"],
    declared_categories=["docs"],
    actual_files=["docs/a.md", "scripts/extra.py"],
    output_format="json",
)

report = json.loads(result)
print(report["status"])          # "over_reach"
print(report["file_overreach"])  # ["scripts/extra.py"]

License

MIT — see LICENSE.

Over-Reach Detector

Over-Reach Detector (MCP server)

What this tool does and does not do

Install

Quick start

Use as MCP server

The tool

Scope discipline

Example usage

License

Over-Reach Detector

Over-Reach Detector (MCP server)

What this tool does and does not do

Install

Quick start

Use as MCP server

The tool

Scope discipline

Example usage

License

Related Productivity & Office MCP Servers

Related Productivity & Office MCP Servers