fix: generate governance-compliant AGENTS baseline

CHANGELOG.md

@@ -8,6 +8,7 @@ This project has a published GitHub Release line, but no stable support or API g
 
 ### Fixed
 
+- Updated generated `AGENTS.md` baseline content so `init --write` no longer creates instructions that fail the current governance scope or authority check.
 - Fixed secret redaction pattern order so Anthropic-style `sk-ant-` keys match the specific Anthropic pattern before the generic `sk-` pattern.
 - Tightened governance regex coverage for review/CI bypass, unsafe command guidance, and runtime network or LLM dependency findings.
 - Expanded secret-like token redaction coverage.

src/agent_rules_kit/init_write.py

@@ -10,11 +10,32 @@
 
 BASELINE_AGENTS_CONTENT = """# Agent Instructions
 
-This repository uses baseline agent instructions generated by agent-rules-kit.
+These baseline instructions were generated by agent-rules-kit.
+Review and adapt them before relying on them for a specific project.
 
-- Read the repository before changing files.
-- Do not run destructive commands unless explicitly requested.
-- Do not add secrets, tokens, credentials, or private data.
+## Scope
+
+These instructions apply from the repository root unless a more specific instruction file
+defines a narrower scope.
+
+## Authority
+
+Follow explicit user requests first. Then follow this file and any more specific
+instruction files for the files being changed.
+
+## Secret handling
+
+Do not commit, print, or log secrets, tokens, credentials, API keys, private URLs, or private data.
+
+## Command execution
+
+Read the repository before changing files.
+Ask for explicit confirmation before destructive commands or broad filesystem changes.
+
+## Review and CI
+
+Keep the repository review process, CI requirements, branch protection, and maintainer
+approval intact.
 """
 
 

tests/test_init_write.py

@@ -1,9 +1,13 @@
 from __future__ import annotations
 
+import io
+import json
 import tempfile
 import unittest
+from contextlib import redirect_stdout
 from pathlib import Path
 
+from agent_rules_kit.cli import main
 from agent_rules_kit.init_plan import InitPlanAction
 from agent_rules_kit.init_write import BASELINE_AGENTS_CONTENT, write_init_files
 
@@ -70,6 +74,22 @@ def test_write_init_files_rejects_missing_root(self) -> None:
             with self.assertRaises(ValueError):
                 write_init_files(missing_root)
 
+    def test_generated_baseline_passes_current_governance_check(self) -> None:
+        with tempfile.TemporaryDirectory() as temporary_directory:
+            repository = Path(temporary_directory)
+
+            write_init_files(repository)
+
+            stdout = io.StringIO()
+            with redirect_stdout(stdout):
+                exit_code = main(["check", str(repository), "--format", "json"])
+
+            payload = json.loads(stdout.getvalue())
+
+            self.assertEqual(exit_code, 0)
+            self.assertEqual(payload["summary"]["finding_count"], 0)
+            self.assertEqual(payload["findings"], [])
+
 
 if __name__ == "__main__":
     unittest.main()