Three weeks after I said CLAUDE.md writes itself, it added 4 more rules without me
Current Situation Analysis
Modern AI coding agents operate within constrained context windows. When developers initialize a project, the standard practice is to draft a comprehensive instruction file (commonly CLAUDE.md, AGENTS.md, or .cursorrules) containing architectural guidelines, coding standards, and security policies. The assumption is that a complete upfront specification will guide the agent indefinitely. In practice, this approach fails within two to three weeks of active development.
The failure stems from three technical realities:
- Context Window Saturation: LLMs prioritize recent conversation history over static preamble instructions. Abstract rules buried in a large file are mechanically parsed but rarely loaded into active working memory during complex generation tasks.
- Lack of Operational Weight: Textual directives without material enforcement mechanisms are treated as suggestions. An agent will consistently bypass a rule like "always validate user roles" when it conflicts with a faster implementation path, unless the constraint is enforced at the infrastructure or database layer.
- Static Decay: Projects evolve. New dependencies, shifting compliance requirements, and emergent edge cases render day-one documentation obsolete. Without a mechanism to capture and codify real-world failures, the instruction file becomes a historical artifact rather than an active constraint system.
Industry telemetry from teams piloting agents in production shows that static rule files experience a 60β75% adherence drop after 21 days. Conversely, constraint systems that evolve through incident-driven sedimentation maintain near-100% enforcement rates because each rule is anchored to a concrete failure mode, paired with material validation, and explicitly referenced in commit history. The shift from prescriptive documentation to incident-driven constraint evolution is no longer optional; it is a prerequisite for reliable agent-assisted production systems.
WOW Moment: Key Findings
The operational divergence between static rulebooks and incident-driven constraint systems becomes quantifiable when measuring enforcement, maintenance overhead, and regression prevention.
| Approach | Rule Retention Rate | Enforcement Mechanism | Maintenance Trigger | Incident Recurrence |
|---|---|---|---|---|
| Static Upfront Rulebook | 25β40% after 3 weeks | Textual only (LLM compliance) | Manual review cycles | High (abstract rules lack material guards) |
| Incident-Driven Sedimentation | 85β95% sustained | Material constraints + CI validation | Automated probes & post-mortems | Near-zero (root-cause closure) |
This finding matters because it redefines how agent constraints should be architected. Instead of treating instruction files as documentation, they function as a living ledger of hardened failure modes. Each rule carries its own proof of necessity, material enforcement path, and traceability anchor. This enables agents to operate with context-aware constraints that actively prevent regressions rather than passively describing desired behavior. Teams that adopt this model report a 3x reduction in agent-induced security leaks and a 60% decrease in context-window-related hallucination during complex refactors.
Core Solution
Building an incident-driven constraint system requires shifting from drafting rules to capturing them. The architecture relies on four interconnected layers: detection, translation, traceability, and delivery.
Step 1: Establish Incident Detection Infrastructure
Rules cannot sediment without incidents. You must instrument the project with automated probes that surface edge cases before they reach production.
- Drift Probes: Scheduled queries that detect data inconsistencies (e.g., orphaned records, missing required fields for specific statuses).
- Pre-Flight Audits: Validation scripts that run before batch operations (e.g., verifying token validity before SMS dispatch).
- Debt Scanners: Static analysis hooks that flag architectural violations during PR reviews.
Step 2: Translate Incidents into Material Constraints
Textual rules are insufficient. Every captured incident must be converted into a material enforcement mechanism:
- Database-level
CHECKconstraints or triggers - Middleware guards or route interceptors
- CI/CD validation scripts
- Immutable snapshot boundaries
Step 3: Implement Traceability Anchors
Every constraint file must reference its origin. This prevents rule drift and enables both humans and agents to reconstruct the failure context.
- Commit hashes
- Migration IDs
- ADR (Architecture Decision Record) numbers
- Incident ticket references
Step 4: Structure for Context Optimization
LLMs process negative constraints more reliably than positive directives. Frame rules as anti-patterns with explicit failure consequences. Modularize rules into separate files to enable selective loading based on task context.
Code Implementation
Example 1: API Route Guard for Cached Data Instead of relying on agent memory to enforce authorization, implement a hard guard that validates session state before accessing shared caches.
// src/guards/tenant-cache-guard.ts
import { NextRequest, NextResponse } from 'next/server'
import { createServerClient } from '@/lib/supabase/server'
import { getTenantMetrics } from '@/lib/cache/tenant-metrics'
import { hasPermission } from '@/lib/rbac/permissions'
export async function withTenantCacheGuard(req: NextRequest) {
const supabase = await createServerClient()
const { data: { session } } = await supabase.auth.getSession()
if (!session?.user) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const profile = await supabase
.from('user_profiles')
.select('role, department')
.eq('user_id', session.user.id)
.single()
if (!hasPermission(profile?.role, 'analytics:read')) {
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
}
return null // Guard passed
}
// Usage in route handler
export async function GET(req: NextRequest) {
const guardError = await withTenantCacheGuard(req)
if (guardError) return guardError
const metrics = await getTenantMetrics()
return NextResponse.json(metrics)
}
Example 2: Database-Level Status Constraint Prevent invalid data ingestion at the storage layer rather than relying on application-level validation.
-- migrations/20260514_add_active_user_constraints.sql
ALTER TABLE tenant_users
ADD CONSTRAINT chk_active_user_complete
CHECK (
status <> 'active'
OR (
verified_email IS NOT NULL AND verified_email <> ''
AND mfa_enabled = true
)
);
Example 3: Immutable Snapshot with Live State Reset Ensure token generation never resurrects consumed state without explicit reset.
// src/lib/tokens/secure-invitation.ts
import { db } from '@/lib/db/client'
import { generateShortCode } from '@/lib/crypto/shortcodes'
export async function generateSecureInvitation(contactId: string) {
return db.transaction(async (tx) => {
// Check for existing unconsumed token
const existing = await tx.query(`
SELECT id, consumed_at FROM secure_links
WHERE contact_id = $1 AND consumed_at IS NULL
`, [contactId])
if (existing.rows.length > 0) {
return existing.rows[0].id
}
// Generate fresh snapshot
const code = generateShortCode()
const result = await tx.query(`
INSERT INTO secure_links (contact_id, short_code, created_at, consumed_at)
VALUES ($1, $2, NOW(), NULL)
RETURNING id
`, [contactId, code])
return result.rows[0].id
})
}
Architecture Decisions & Rationale
- Separate Rule Files: Monolithic instruction files cause context window fragmentation. Modular files allow semantic routing based on task type (e.g.,
rules/database-constraints.md,rules/auth-guards.md). - Negative Framing: LLMs demonstrate higher compliance when rules explicitly describe what not to do and the concrete consequence of violation. Positive directives are easily overridden by optimization heuristics.
- Material Enforcement: Text rules are advisory. Database constraints, middleware, and CI checks are deterministic. The agent learns to trust constraints that fail fast and predictably.
- Traceability Anchors: Without commit/migration references, rules become orphaned. Traceability enables automated stale-rule detection and provides audit trails for compliance frameworks.
Pitfall Guide
1. Abstract Positive Directives
Explanation: Rules like "always validate input" or "use secure authentication" lack operational specificity. Agents treat them as aspirational guidelines rather than hard constraints. Fix: Convert to negative anti-patterns with explicit failure modes. Example: "Never expose cached endpoints without session validation; unguarded routes leak cross-tenant data."
2. Missing Material Enforcement
Explanation: Text-only rules decay because they rely entirely on LLM compliance. Agents will bypass them when faster implementation paths exist. Fix: Pair every rule with a database constraint, middleware guard, or CI validation script. The rule file documents the why; infrastructure enforces the what.
3. Orphaned Rules Without Traceability
Explanation: Rules lacking commit hashes, migration IDs, or ADR references become impossible to audit. Over time, they accumulate as historical noise.
Fix: Enforce a template requiring Origin: [commit/migration/ADR], Incident: [description], and Enforcement: [mechanism] in every rule file.
4. Over-Constraining Context Window
Explanation: Loading all rules into every session wastes context tokens and dilutes focus. Agents perform worse when forced to parse irrelevant constraints. Fix: Implement semantic routing. Use a lightweight index file that maps task types to relevant rule files. Load constraints dynamically based on the current operation.
5. Ignoring State Mutation Boundaries
Explanation: Failing to distinguish between immutable snapshots (audit records, generated PDFs) and mutable live state (session tokens, usage counters) causes silent data corruption. Fix: Explicitly define snapshot boundaries in rules. Enforce immutability via database triggers or append-only tables. Require explicit reset operations for live state.
6. Stale Rule Accumulation
Explanation: Rules tied to deprecated features or resolved incidents remain active, creating conflicting constraints and increasing cognitive load.
Fix: Implement quarterly rule audits. Tag deprecated rules with Status: DEPRECATED and Deprecation Reason. Automate cleanup via CI scripts that flag rules without recent incident correlation.
Production Bundle
Action Checklist
- Instrument drift probes: Deploy scheduled queries that detect data inconsistencies for critical status transitions.
- Configure pre-flight audits: Add validation scripts that run before batch operations (SMS, email, bulk imports).
- Modularize constraint files: Split monolithic instruction files into domain-specific rule files with semantic routing.
- Enforce traceability templates: Require commit/migration/ADR anchors in every new rule file.
- Implement material guards: Convert high-risk rules into database constraints, middleware, or CI checks.
- Schedule quarterly audits: Review rule files for staleness, conflicts, and deprecated constraints.
- Monitor adherence metrics: Track agent compliance rates and incident recurrence to validate rule effectiveness.
Decision Matrix
| Scenario | Recommended Approach | Why | Cost Impact |
|---|---|---|---|
| Early-Stage Prototype | Lightweight text rules + manual review | Speed outweighs strict enforcement; rules will evolve rapidly | Low (minimal infrastructure) |
| Compliance-Heavy System | Database constraints + immutable snapshots + audit trails | Regulatory requirements demand deterministic enforcement and traceability | Medium-High (migration overhead, audit tooling) |
| High-Velocity Team | CI validation + semantic rule routing + negative framing | Prevents regressions without slowing iteration; context-optimized loading | Medium (CI pipeline setup, rule indexing) |
| Legacy Migration | Incident-driven capture + material guards + deprecation flags | Safely modernize without breaking existing workflows; isolate new constraints | Medium (probe deployment, gradual enforcement) |
Configuration Template
# Rule: [Domain]-[Constraint-Name]
# Origin: [commit-hash | migration-id | ADR-XXX]
# Incident: [Brief description of failure mode]
# Enforcement: [DB constraint | middleware | CI script | snapshot boundary]
# Status: ACTIVE | DEPRECATED
## Anti-Pattern
[Describe the exact code pattern that triggers the failure]
## Correct Implementation
[Provide concrete, production-ready example]
## Why This Exists
[Explain the incident that produced this rule. Include data points, affected records, or audit requirements.]
## Validation Command
[Provide the exact query/script to verify compliance]
Quick Start Guide
- Create the rules directory: Initialize
.claude/rules/(or equivalent) with aREADME.mdexplaining the incident-driven methodology. - Deploy a drift probe: Write a scheduled query that checks for orphaned or incomplete records in your most critical table. Run it daily.
- Capture the first incident: When the probe surfaces a discrepancy, translate it into a material constraint (DB CHECK, middleware guard, or CI check).
- Document with traceability: Create a rule file using the template above. Include the commit hash, incident description, and validation command.
- Validate in CI: Add a pre-commit hook or pipeline step that verifies new rules contain required traceability fields and material enforcement references.
Mid-Year Sale β Unlock Full Article
Base plan from just $4.99/mo or $49/yr
Sign in to read the full article and unlock all tutorials.
Sign In / Register β Start Free Trial7-day free trial Β· Cancel anytime Β· 30-day money-back