Back to Research

Keep the AI coding stack current and agents bounded

Updating the AI coding stack without losing agent bounds: connector cards, child receipts, decision stubs, and scope ledgers that survive upgrade weeks.

A Calm Watering Place--Extensive and Boundless Scene with Cattle, landscape painting by Alvan Fisher (1816).
Rogier MullerMarch 25, 20266 min read

You keep your AI coding stack current the same way you keep it safe: upgrade the tools and the bounds in the same pull request. An AI coding stack is the set of tools, rules files, and connectors your agents run through on every change. The version numbers move every few weeks. The contracts that say what an agent is allowed to do should move with them, because review speed comes back the moment intent stops hiding in chat.

This is a Cursor problem, but not only Cursor. The same lines apply to Claude Code, Anthropic's coding agent, and to Codex CLI, OpenAI's coding agent. The trick is to write down boundaries as files that survive upgrades, not as habits that live in someone's head.

Why the inherited-repo test matters

Open the first diff in an unfamiliar repo. If it bundles a refactor with an intent shift nobody wrote down, that is what an unbounded stack feels like from the receiving end.

A current stack with vague bounds is more dangerous than a stale stack with sharp ones. Parallel agents are not free parallelism. They are more surface area, and every extra agent is one more place where intent can go missing between the prompt and the merge.

The tempting mistake is to read a green CI run as team-wide confidence. Local greens prove the demo worked. They do not prove the next reviewer can explain why the change looks the way it does. If your team trains engineers, the scarcest asset is not tokens. It is intent you can inspect later.

Write four bounds that survive an upgrade

Each of these is one small artifact. None of them needs a new tool. They are the contracts that stay valid even when the version number under them changes.

Connectors default to capability demos. Least privilege needs explicit trust boundaries, which the MCP specification leaves to you. So keep a connector card: one markdown file per MCP server listing allowed actions, forbidden actions, owner, and rollback. Update it during upgrade week, not after.

Chained agents return summaries that quietly omit the paths their children touched, and a tool update can reshuffle what those children do. A child receipt block fixes that. Every child returns the paths it touched, the commands it ran, and the tests that prove the regression guards still hold. Parents stop green-lighting diffs they cannot see.

CI can be green while reviewers still ask "why this approach?" with no written answer anywhere. A decision stub puts the answer in the PR template: constraints considered, rejected alternatives, verification proof. Three lines move the debate from vibes to tradeoffs.

Cursor's .mdc rules sound precise until two reviewers argue about what they meant, a failure the Cursor agent docs cannot resolve for you. A scope ledger pins it down: five lines in the parent chat covering goal, allowed paths, forbidden paths, verification command, and merge owner.

Drop in a scope ledger you can paste

Here is the snapshot. It stays valid across stack versions because it names contracts, not features, so the same lines hold whether you run Cursor, Claude Code, or Codex CLI.

---
description: Delegation boundary snapshot (adapt globs to your repo)
globs:
  - "**/*"
alwaysApply: false
---

- Cursor: keep scopes explicit in `.mdc`; forbid undeclared MCP domains.
- Claude Code: cite `CLAUDE.md` precedence before expanding bash scope.
- Codex: ensure `AGENTS.md` carries replay-friendly verification notes for CLI runs.

An upgraded stack is safe when a new reviewer can answer four questions cold. Keep this table next to the changelog.

Gate Question
Connector truth Which MCP servers fired, and were they expected?
Reviewer path Can someone unfamiliar trace intent without chat replay?
Risk routing Were red folders touched, and who approved?
Replay proof Which commands prove regression guards?

Before you merge, walk this short list:

  • Forked agent work lists parent and child responsibilities.
  • Red-folder paths got explicit human acknowledgement.
  • Scopes in the PR body match the folders in the diff.
  • Primary-doc links were smoke-checked after publishing edits.

A two-person team can adopt all four artifacts in a week, and they scale without a rewrite. The behavior-in-files pattern is the same one OpenAI's skills repository runs on, so you are not inventing anything new.

Common questions

  • How do you keep an AI coding stack current without breaking the bounds?

    Treat the bounds as part of the stack. Every upgrade touches four artifacts in the same PR: connector cards, scope ledgers, rules-file precedence, and receipt templates. If the tool version moves and the contracts stay frozen, the stack is current and the team is quietly exposed.

  • What breaks first when agents go out of bounds?

    Reviewer confidence breaks first. Diffs start bundling refactors with invisible intent shifts, and the person inheriting the repo cannot separate the stated goal from the ride-along changes. Bugs arrive later. The immediate cost is review slowing to archaeology speed while the merge queue keeps filling up behind it.

  • Is a stale stack safer than a current one?

    No, it just fails differently. A stale stack accumulates known gaps you can plan around. A current stack with vague bounds accumulates unknown gaps nobody is watching. The stable position is to ship current tools and keep the explainability artifacts versioned right beside them.

  • What is the minimum bound set for a small team?

    Four artifacts: a scope ledger per parent run, a connector card per MCP server, a decision stub in the PR template, and child receipt blocks for any forked work. None of this replaces architecture judgement. Agents speed up execution, not ownership, and the bounds buy containment, not taste.

  • Where should I start if I only have an hour?

    Re-date every connector card. That single pass tells you which connectors still touch data nobody listed on the diagram, which is the gap that bites hardest during upgrade week. If the upgrade notes go public, follow Google's people-first content and generative AI content guidance and show the evidence trail.

Start here

Pick the one bound your team argues about most and write it down today. If you want the upgrade-week sequence and how this fits a wider AI coding governance practice, our white paper lays it out.

Related training topics

Related research

Ready to start?

Transform how your team builds software.

Book a 15-minute sync