lintai docs

Appearance

Rule Reference

SEC360lintai-ai-securityguidancequalitypreviewmarkdownwarn

Cursor rule: `globs` type

Cursor rule frontmatter `globs` must be a sequence of patterns

Public lane
guidance
Category
quality
Provider
lintai-ai-security
Scope
per-file
Surface
markdown
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Advice-oriented guidance and maintainability review.

How to read this category

Contract, schema, or config correctness signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

guidancesidecar lane

Lifecycle

Preview Lifecycle Contract

State

preview

Promotion blocker

Cursor rule path-matching shape mismatches are deterministic, but the first release stays guidance-only while ecosystem usefulness is measured.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC353Copilot instructions: exceeds 4000 charsGitHub Copilot instruction markdown exceeds the 4000-character guidance limitguidancequalitymarkdown
SEC354Copilot instructions: missing `applyTo`Path-specific GitHub Copilot instruction markdown is missing `applyTo` frontmatterguidancequalitymarkdown
SEC355AI markdown: wildcard tool grantAI-native markdown frontmatter grants wildcard tool accessguidancehardeningmarkdown
SEC356Plugin agent: `permissionMode` in frontmatterPlugin agent frontmatter sets `permissionMode`guidancequalitymarkdown
SEC357Plugin agent: `hooks` in frontmatterPlugin agent frontmatter sets `hooks`guidancequalitymarkdown
SEC358Plugin agent: `mcpServers` in frontmatterPlugin agent frontmatter sets `mcpServers`guidancequalitymarkdown

Why It Matters

SEC360 flags Cursor rule markdown whose frontmatter sets globs to something other than a YAML sequence of path patterns.

This is useful because:

  • Cursor rules are configuration-bearing markdown, not free-form prose
  • path targeting becomes harder to review when globs is written as a scalar or malformed inline value
  • the failure mode is community-hostile: the rule looks scoped, but loaders may interpret it inconsistently or ignore it

What Triggers

This rule applies only to Cursor rule markdown surfaces such as .mdc and .cursorrules.

It triggers when:

  • frontmatter contains globs
  • and globs is not a sequence of non-empty string patterns

Examples that trigger:

yaml
---
globs: "**/*.rs"
---
yaml
---
globs: *
---

Example that stays clean:

yaml
---
globs:
  - "**/*.rs"
  - "**/*.toml"
---
  • fixture-like paths under tests/, fixtures/, examples/, or samples/

False Positives

This rule now lives in the explicit guidance lane because some repos still carry legacy or compatibility-projection Cursor rule files. The signal is about deterministic config quality and interoperability, not about exploitability.

Remediation

Write globs as an explicit YAML sequence:

yaml
---
globs:
  - "**/*.rs"
  - "**/*.toml"
---

If the rule should apply globally, prefer the normal Cursor rule model with alwaysApply: true instead of using malformed or scalar globs syntax.