Cursor · Claude Code · AI coding agents · Constraints

Governance for Cursor and
Claude Code Workflows

AI coding agents move fast and make confident, undocumented choices. Stackbilder gives them constraints, threat models, and architecture records — so they work within your system, not around it.

Start free See a sample scaffold

✓CLAUDE.md-ready constraints ✓Agent-readable threat model ✓Session-persistent ADRs ✓Test plan for coverage tracking ✓Deterministic — same input, same output

What Cursor and Claude Code are great at

In-editor AI is the most effective way to implement code quickly across a real codebase.

Cursor and Claude Code are not app builders — they're coding assistants that work inside your actual codebase. That distinction matters. Unlike Lovable or Bolt, which generate greenfield apps, Cursor and Claude Code operate on code that already exists and carries your accumulated architectural decisions. They're exceptional at multi-file refactoring, implementing features against an existing API contract, writing test cases for existing functions, and navigating large codebases quickly. When given clear instructions, both tools produce syntactically correct, often genuinely good code at a pace no human can match.

The governance challenge with coding agents is different from the governance challenge with app builders. It's not that the output is bad — it's that the agent has no persistent memory of why your codebase looks the way it does. Every new session starts fresh. The agent sees the code but not the reasoning behind it. Without documented architectural constraints, the agent will make locally reasonable decisions that globally undermine your security model, your test coverage, or your dependency strategy — confidently, and without flagging that it's doing so.

The governance gap

What coding agents do without documented constraints

These aren't hypothetical risks. They're the class of change that happens in real codebases when AI coding agents work without documented architectural context.

T-001 breach

Agent replaces sessions with JWTs

The agent reads your cookie session code, decides JWTs are 'simpler', and refactors. Your T-001 threat mitigation — immediate session revocation — is now gone. The ADR that documented why you chose sessions over JWTs would have prevented this.

T-002 reintroduced

Agent introduces an ORM bypassing parameterized queries

You have documented parameterized query discipline in your DB access layer. The agent adds a new ORM that generates queries differently, bypassing your injection protection pattern. Without the constraint document, it had no signal that this was a violation.

New attack surface

Agent adds an unauthenticated API route

Implementing a new feature, the agent adds a /api/export endpoint without auth middleware. Your existing routes all have auth. This one doesn't — and it's now public. The constraint file would have specified that all /api/* routes require the auth middleware wrapper.

T-004 violation

Agent enables verbose errors in production

Debugging a production issue, the agent changes the error handler to return full error details 'for easier debugging'. Your T-004 information disclosure mitigation is now disabled. The threat model entry would have marked this as a constrained boundary.

T-006 risk

Agent adds a DB table without RLS

Adding a new feature, the agent creates a new database table and writes the queries. RLS policies — which your architecture requires on all tables — are not created. The constraint document would have specified that new tables need RLS before the migration runs.

Coverage drift

Agent removes tests to fix a test suite failure

A test is failing. The agent deletes the test and marks the task complete. Your test plan specified 85% branch coverage as a deployment gate. Without the test plan in context, the agent had no way to know the deletion was a coverage regression.

What Stackbilder adds

Governance artifacts that agents can actually read and reason about.

Agent-Readable Threat Model

STRIDE threat entries in structured, terse format that fits in an agent's context window. Each entry is a constraint: a risk, its severity, and the specific mitigation strategy. Agents loaded with the threat model can flag when a proposed change conflicts with a documented mitigation.

## T-001 Spoofing — CONSTRAINED BOUNDARY
Session revocation required. JWT auth is NOT acceptable
as replacement. Revocation latency must be sub-second.
Mitigation: D1 session store + server-side invalidation

## T-002 Tampering — CONSTRAINED BOUNDARY
All DB queries must use parameterized statements.
ORM query builders must be audited against this constraint.

Session-Persistent ADRs

Architectural decision records that explain why the codebase looks the way it does. When an agent reads your CLAUDE.md and finds ADR-001 explaining why you chose cookie sessions over JWTs, it has the context to push back on or flag a JWT refactor rather than executing it silently.

## ADR-001: Auth Strategy — DO NOT CHANGE WITHOUT REVIEW
Decision: Cookie sessions (not JWTs).
Reason: Immediate revocation required for account takeover
response. JWT invalidation latency is unacceptable.
Reversing this decision requires re-evaluating T-001.

Test Plan for Coverage Enforcement

Test specifications that agents should maintain, not remove. When the test plan is in an agent's context, it has the coverage targets and critical test cases that are deployment gates — making test deletion a flagged action rather than a transparent one.

## Coverage Gates — DEPLOYMENT REQUIRED
test_auth_revocation: must pass before deploy
test_rls_isolation: must pass before deploy
test_webhook_sig: must pass before deploy
Target: 85% branch coverage. Gate is enforced in CI.

constraints.yaml for Agent Context

A machine-readable constraint file that agents can parse and reference. Lists the non-negotiable patterns: which middleware is required on which routes, what patterns are prohibited, what dependencies require architectural review before addition. Designed to be included in CLAUDE.md or .cursorrules directly.

require_middleware:
  - pattern: /api/**
    middleware: [auth, rate-limit]
prohibited_patterns:
  - jwt_stateless_auth
  - raw_sql_string_concat
review_required:
  - new_db_table (requires: rls_policy)

Example output

CLAUDE.md section generated from Stackbilder governance output

# Architecture Constraints — Read before modifying auth or DB layers

Source: Stackbilder scaffold v1.0 | Pattern: cloudflare-workers-saas

## AUTH — CONSTRAINED BOUNDARY

Sessions are cookie-based via D1 session store. JWTs are EXPLICITLY NOT USED.
Reason: Immediate revocation required (ADR-001). Changing this requires
re-evaluating T-001 (session spoofing) and T-004 (revocation latency).
DO NOT refactor to JWT without flagging this for human review.

## DB ACCESS — CONSTRAINED BOUNDARY

All queries use D1 prepared statements. Raw string concatenation in SQL
context is prohibited (T-002 injection risk). ORM additions require
architectural review to verify parameterized query compliance.

## API ROUTES — REQUIRED PATTERN

All /api/* routes must apply [auth, rate-limit] middleware.
No exceptions without explicit documentation. New routes without middleware
are a T-006 violation (unauthenticated attack surface).

## NEW DB TABLES — REQUIRED ACTION

Every new D1 table migration must include RLS policy definition.
Tables without RLS are a T-003 information disclosure risk.
test_rls_coverage CI check will fail on tables missing policy.

How they work together

Cursor and Claude Code implement. Stackbilder constrains what they implement.

AI coding agents are tools, not architects. They implement what they're asked to, using patterns they've seen in training data, with no persistent memory of your system's constraints across sessions. That's not a criticism — it's a description of what the tools are. The right response isn't to use them less; it's to give them better context so their implementations land within your architecture.

Stackbilder generates the context that agents need: the threat model that defines the security boundaries, the ADRs that explain why those boundaries exist, and the constraints file that codifies the required patterns. Load these into your CLAUDE.md or .cursorrules file once, and every subsequent agent session starts with the constraints already in scope.

Agents working within documented constraints make different decisions than agents working without them. The governance layer doesn't slow the agent down — it prevents the cleanup work that undocumented agent sessions create.

Common questions

How do ADRs help with AI coding agents?

ADRs document the reasoning behind architectural decisions — not just what was chosen, but why, and what alternatives were rejected. When an AI coding agent encounters a pattern it finds suboptimal, documented ADRs provide the context that explains why that pattern exists and what the consequences of changing it are. Without ADRs, agents confidently undo decisions that had non-obvious reasons. With them, the agent has the context to work within the architecture.

Can I put my Stackbilder output in my CLAUDE.md or cursor rules?

Yes, and this is the intended workflow. The threat model, ADRs, and constraint file from your Stackbilder scaffold are designed to be agent-readable context. Paste the relevant sections into your CLAUDE.md or .cursorrules file. Now every agent session starts with the threat mitigations and architectural constraints already in context. The agent works within your system instead of improvising around it.

Do I need to regenerate the scaffold every time I use Cursor?

No. The Stackbilder scaffold is a one-time governance baseline for a given architectural pattern. Generate it at the start of a project, load it into your agent context, and update it when you make a deliberate architectural change. The deterministic engine means a regeneration produces identical output — useful for verifying nothing has drifted. You don't regenerate per session.

What's the biggest governance risk when using AI coding agents?

Confident, undocumented architectural changes. AI coding agents are trained to produce working code and will make architectural decisions — switching auth strategies, adding dependencies, changing error handling — without visibility into why the existing approach was chosen. Each individual change may be locally reasonable. The cumulative effect is a codebase that has drifted from its security model without anyone noticing.

How does Stackbilder's output work with agent context windows?

Stackbilder's governance artifacts are designed to be compact and machine-readable. The threat model uses structured T-00N entries. ADRs use a consistent header format. The constraints.yaml is terse by design. The full governance suite fits comfortably in an agent's context window, which means the agent can reason about architectural constraints in the same session it's implementing code — without the constraints being truncated.

AI App Hardening → ADR generator → Threat model generator → Lovable vs Stackbilder → Cloudflare Workers scaffold →

Give your AI coding agents constraints that last.

Start free. Threat model, ADRs, and constraint file — ready to paste into CLAUDE.md.