Scan Score Fix

AI-agent
readiness, scored.

Charter scans any repository and returns a 0–100 readiness score in under two seconds — 18 rules across nine categories. Completely offline.

brew install use-charter/tap/charter

Get started

No network. No LLM calls. No data leaves your machine.

~/acme-api — charter doctor

0 /100

context

secrets

mcp safety

autonomy

Cross-vendor — works with the agents your team already runs

Claude Code

Cursor

Copilot

Windsurf

Codex

Gemini

Grok

18 rules · 9 categories

Repos fail readiness for boring, fixable reasons

Missing AGENTS.md, secrets visible to agents, an unpinned MCP server, no discoverable verify command. Charter checks the nine things that decide whether an agent helps or flails — and every finding carries a rule ID and a fix.

Context

4 rules

✓ clean

Secrets

2 rules

1 blocker −20

MCP Safety

3 rules

1 high −10

Agent Config

2 rules

✓ clean

Environment

1 rule

✓ clean

1 rule

✓ clean

Testing

1 rule

✓ clean

Autonomy

1 rule

1 medium −4

Governance

3 rules

informational

Findings 3 of 18 fired

blocker AE-SEC-001 Secrets Raw secret pattern in an agent-visible file src/config/auth.ts:42 auto-fix

high AE-MCP-001 MCP Safety MCP server is not pinned to an exact, current version .mcp.json:7 auto-fix

medium AE-AUTO-001 Autonomy No verify command discoverable via a task runner repo root

Seven commands · v1.0

A small, sharp command surface

No dashboard, no account, no telemetry. Everything runs from your shell — and from CI.

charter doctor

Scan the repo and print a 0–100 readiness score with a per-category breakdown. Exit 0 = pass, 1 = below threshold, 2 = error.

charter doctor

acme-apimain !v24.16.0

❯ charter doctor

[C] charter v1.0.0 · ~/acme-api

────────────────────────────────────────

Checked 18 rules · 3 findings · 1 BLOCKER · 1 HIGH · 1 MEDIUM

✗ BLOCKER AE-SEC-001 Secrets

raw secret in an agent-visible file

⚠ HIGH AE-MCP-001 MCP Safety

⚠ MEDIUM AE-AUTO-001 Autonomy

────────────────────────────────────────

Score 82/100 ████████████████░░░░ PASS ✓

threshold 80 · 1.84s · offline

charter init

Scaffold the context files an agent needs — AGENTS.md, charter.yaml, .gitignore — so the next scan starts from a clean baseline.

charter init

acme-apimain !v24.16.0

❯ charter init

[C] charter v1.0.0 · ~/acme-api

scaffolding missing context files…

+ AGENTS.md agent config scaffold

+ charter.yaml policy defaults

+ .gitignore (agent artifacts)

✓ 3 files written · baseline ready

charter fix

Diff-first auto-repair for supported rules. Nothing is written until you approve the unified diff. Secrets rules are never auto-touched.

charter fix

acme-apifix/mcp-pin !v24.16.0

❯ charter fix AE-MCP-001

proposed patch · .mcp.json

────────────────────────────────────────

- mcp-server-git

+ mcp-server-git@2026.1.14

────────────────────────────────────────

apply this patch? [y/N] › y

✓ patch applied · 1 file written

charter suppress

Record a governed waiver with a reason, owner, and optional expiry — an audit trail, not a mute button.

charter suppress

acme-apimainv24.16.0

❯ charter suppress AE-MCP-002 --reason vendored --expires 90d

writing waiver to charter.yaml…

✓ AE-MCP-002 waived by @dana

reason: vendored

expires: 2026-09-10

Suppression governed. Re-surfaces on expiry.

charter explain

Print the catalog metadata for any rule: id, name, category, severity impact, summary, and docs URL.

charter explain

acme-apimainv24.16.0

❯ charter explain AE-SEC-001

AE-SEC-001 NoRawSecretsInContext

─────────────────────────────────

category Secrets

severity BLOCKER (−20 pts)

summary Raw secret pattern in an agent-visible file

auto-fix yes

→ use-charter.dev/rules/AE-SEC-001

charter report

Write a self-contained, offline single-file HTML report — fonts and data inlined, opens from file:// with zero network.

charter report

acme-apimainv24.16.0

❯ charter report --open

scanning…

rendering HTML report…

✓ written charter-report.html (~143 KB)

self-contained · WCAG 2.2 AA · offline

SARIF 2.1.0 embedded

opening in browser…

charter version

Print the version, build provenance, commit SHA, and supply-chain verification status. Useful in CI logs and bug reports.

charter version

acme-apimainv24.16.0

❯ charter version

[C] charter v1.0.0

─────────────────────────

commit a1b2c3d · 2026-01-14

go 1.23.4

slsa level 3 · cosign verified ✓

sbom spdx-2.3

The adoption loop

From first scan to a gate that holds

Readiness isn't a one-time cleanup. Charter takes a repo from an honest baseline to ship-ready — then makes the score a wall every pull request has to clear.

charter init

Scaffold the baseline

baseline ready

Creates the context files an agent needs — AGENTS.md, charter.yaml, .gitignore — only what's missing.

charter doctor

Get your number

0 /100 Needs work

A static scan in under 2s scores the repo across 9 categories. Most repos land in the 40–60 range.

charter fix

Repair, diff-first

0 /100 Ship-ready +32

Approve unified diffs for the four safe fixers. Secrets and dangerous commands are never auto-touched.

charter suppress

Govern the exceptions

1 waived · 90d

Log an accepted risk with a reason, an owner and an expiry. An audit trail that re-surfaces — not a mute button.

charter-action@v1

Gate every PR

threshold ≥ 80

CI re-scores each pull request and blocks merges below threshold. Readiness stops drifting and only ratchets up.

GitHub Action

Gate every PR on readiness

The action downloads the signed binary, runs charter doctor --format sarif, and uploads to GitHub Code Scanning — so findings show up natively on the PR and merges below your threshold are blocked.

.github/workflows/charter.yml

# .github/workflows/charter.yml
name: Charter
on:
  pull_request:
permissions:
  contents: read
  security-events: write
jobs:
  charter:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: use-charter/charter-action@v1
        with:
          threshold: "80"
          verify: true

Wire the agent task runner #412

build passed

test passed

charter / readiness 82/100 · min 80 PASS ✓

All checks passed Ready to merge

The contract

It respects your machine and your data

Completely offline

No network calls. No LLM calls. No telemetry. Charter reads your files and nothing leaves the machine.

Apache-2.0, free forever

Open source and permissively licensed. Vendor it, fork it, ship it inside your own tooling.

SLSA Level 3 signed

Every release is supply-chain signed with verifiable provenance. Trust the binary you install.

SARIF 2.1.0 output

Standard static-analysis output that drops straight into GitHub Code Scanning and your existing tools.

No network callsNo LLM callsNo file deletionNo silent mutationEvery finding has a rule ID + fixSigned releases (SLSA L3)Public, stable score formulaCross-vendorSecrets never printedCLI free forever

AI-agentreadiness, scored.

Repos fail readiness for boring, fixable reasons

A small, sharp command surface

charter doctor

charter init

charter fix

charter suppress

charter explain

charter report

charter version

From first scan to a gate that holds

Scaffold the baseline

Get your number

Repair, diff-first

Govern the exceptions

Gate every PR

Gate every PR on readiness

It respects your machine and your data

Completely offline

Apache-2.0, free forever

SLSA Level 3 signed

SARIF 2.1.0 output

AI-agent
readiness, scored.