Agent config token bloat audit: one scan, four file names.
Most published audits stop at one file name. They are written for the Claude Code reader, the Cursor reader, or the Codex reader, never the person whose repo has all three sitting next to each other. The irritating thing is that the four files are interchangeable as content: they all encode the same shape (a rule list for an LLM in the editor loop), and the four patterns that bloat them are the same.
So this guide is about one detector, one per-line scan, and four worked-example file names. The audit you run on a 2,000-token .cursorrules is the audit you run on a 2,000-token CLAUDE.md is the audit you run on a 2,000-token AGENTS.md. The findings come back in the same shape, and the recoverable bytes go to the same place (your bill).
1. One detector, one scan
The detector is seven lines. It reads the first 300 characters of whatever you pasted and returns one of four inputType values:
The per-line scan that runs next is 62 lines. It iterates the file, checks each line against the four patterns, pushes findings. It does not read the inputType the detector returned. The tag is for the result header. The findings are format-agnostic:
The whole file is 322 lines, no network calls (open DevTools, watch the Network tab, paste a file: no POST). The split between detection and scanning is the load-bearing fact in this guide: it is why a Cursor person and a Codex person and a Claude Code person can share one audit.
2. The four patterns
Seven finding kinds, grouped into four buckets by severity and remediation. The first three (cache_bust, duplicate, bloat) attribute token savings per line. The fourth (dead-rule) flags lines that ship every turn and produce no agent behavior, which is a different kind of waste.
cache_bust
An ISO date, 'today', or 'this session' in the first 20 lines voids prompt caching for the whole file. One byte change at the top forces a cold read on every turn. Severity high because it is the only single-line edit that swings cost by an order of magnitude.
duplicate
The same rule pasted twice. Trim, lowercase, exact match. You pay tokens for both copies, the agent gets one signal. Cheapest fix in the audit (delete the second copy).
bloat
A rule line over 28 words. The agent treats the second half as filler; you ship every byte every turn. Recoverable bytes estimated at ~35% of the line (conservative).
dead-rule
Three sub-findings: vague (terms with no testable meaning), aspirational (absolutes with no escape clause), missing_why (prohibitions with no rationale). The line ships every turn, the agent ignores or guesses, the tokens produce no behavior.
3. The same matrix in every format
The right column below is identical regardless of whether the file you pasted got tagged as claude.md, agents.md, .cursorrules, or .grokrules. The middle column is the literal trigger inside one of your files; the right column is what the analyzer prints, byte for byte, across all four formats:
| Feature | What it matches in your file | What the analyzer prints (every format) |
|---|---|---|
| cache_bust (high) | Today is 2026-05-21 on L3 | Identical detection across all four formats. First 20 lines, ISO date or session word. |
| duplicate (medium) | Same rule on two lines, paid twice | Trim-and-lowercase comparison; runs once across the whole file regardless of format. |
| bloat (medium) | Rule line over 28 words | Word-count threshold is a property of how Claude reads rules, not of the file extension. |
| vague (low) | "appropriate", "carefully", "well" | Same word list, same per-line regex. Cursor reads vague rules the same way Claude does. |
| aspirational (low) | "always", "never" with no escape | Same scan. Grok ignores absolutes the same way Codex does. |
| missing_why (medium) | NEVER / DO NOT with no "because" | Looks 4 lines forward for any rationale word. Format does not change the requirement. |
| conflict (high) | Contradicting absolutes (e.g. comments) | Whole-file substring check. The conflicting pair ships in either format on every turn. |
Read row by row, the table says one thing: there is no format-specific bloat. There is only bloat. The filename on the tab is a label.
4. Worked example: a .cursorrules and an AGENTS.md
Two files from the same repo, pasted into the analyzer one after the other. Same eight columns of output, four different findings on each file because the files are different, identical tokenSavings math because the cost model does not change:
The summary line at the bottom is the entire thesis. If you swap the .cursorrules for a .grokrules with the same shape, the bottom line stays. The format names are interchangeable as bloat surfaces.
5. What this means if your repo has more than one
A real consequence of one-detector-one-scan: if your repo has a CLAUDE.md and a .cursorrules side by side (common; people switch editors mid-task), they each pay their own per-turn cost on their own orchestrator. Bloat in the CLAUDE.md does not subsidize the .cursorrules. Bloat in the .cursorrules does not show up on the Claude Code bill. You have to audit both, separately, in the same short loop.
The good news is the loop is the same. Paste, read findings, fix the high-severity ones, re-paste. About 4 minutes per file. If the patterns you fixed in the CLAUDE.md (a dated line at the top, two duplicated rules) also appear in the .cursorrules (because you copy-pasted between them three months ago), the .cursorrules pass will finish in 90 seconds.
For the layered case (a user CLAUDE.md plus a project CLAUDE.md plus an @AGENTS.md import) the math is on /t/claudemd-layer-audit-token-bloat. For the per-format walkthrough on Codex's file, see /t/agents-md-token-cost-per-turn; for Grok, /t/grokrules-config-analyzer.
6. The four-minute loop
- Open the file in your editor. Hit copy-all. Open ccmd.dev in another tab. Paste into the textarea.
- Read the header. Two numbers matter: the inputType tag (confirms the detector saw what you meant) and totalTokens (the denominator for everything below).
- Sort findings by severity. Fix every high first. That is almost always one cache_bust (one line moved or stripped) and maybe one conflict. The cost swing is at least 5x.
- Fix the medium findings next. duplicate is a deletion, bloat is a split-into-three, missing_why is a one-line append.
- Re-paste. The findings list should be shorter; the potentialSavings number should be lower. Save the file. Close the tab. Repeat per file in the repo.
Want a second pair of eyes on the polyglot pass?
20 minutes, your CLAUDE.md and .cursorrules and AGENTS.md on screen, every finding called out by line number. Free.
Frequently asked questions
Is the token bloat the same in CLAUDE.md as in .cursorrules?
Yes, and for a precise reason. The whole file ships to the agent on every turn regardless of which orchestrator is running it. Cursor inlines .cursorrules. Claude Code inlines CLAUDE.md. Codex inlines AGENTS.md. Grok Build inlines .grokrules. The cost model is identical: total tokens times turns times the input rate. A 2,000-token .cursorrules with a dated line near the top pays the same cache-bust surcharge as a 2,000-token CLAUDE.md with the same dated line near the top.
Why are there four file names if the audit is the same?
Because each orchestrator decided on its own filename. The four formats are interchangeable as content: they all encode the same thing (rules for an LLM that sits in the loop with your editor). gradually.ai's converter exists because users move between them. ccmd's detector at src/lib/analyzer.ts line 41 looks at the first 300 characters and tags the input as one of the four, but the per-line scan that runs next (lines 142 to 204) never reads the tag. The tag is for the result header; the findings are format-agnostic.
How long does the audit take?
About 220 ms on a 200-line file in the browser. There is no network call; the analyzer is pure client-side TypeScript at src/lib/analyzer.ts (322 lines total). Open DevTools, watch the Network tab, paste a file: no POST. The whole loop (paste, read findings, fix the high-severity ones, re-paste, confirm) is roughly 4 minutes per file.
Does the audit work if I have both a CLAUDE.md and a .cursorrules in the same repo?
Run the audit twice, once per file. Both ship on every turn of their respective tool (CLAUDE.md in Claude Code, .cursorrules in Cursor). If you also have an AGENTS.md, Codex loads that one. The findings do not merge; each file pays its own per-turn cost, and bloat in one does not subsidize bloat in the other. We have a separate guide on stacking: /t/claudemd-layer-audit-token-bloat.
Which finding should I fix first?
Sort by severity, then by tokenSavings. cache_bust is always high severity and always the biggest single-edit win because it flips a per-turn 10x cache discount on or off. Duplicate is medium severity but the cheapest fix (one deletion, exact tokens recovered). Bloat is medium severity and the most tokens per edit (~35% of a long line). Vague and aspirational are low severity; address them in a polish pass once the high-impact ones are gone.
Does the analyzer score Grok config files?
Yes. detectType returns '.grokrules' if the first 300 characters contain '.grokrules' or a '# Grok' header. The per-line scan that runs after the tag is the same code path as the CLAUDE.md branch. We have a dedicated walkthrough at /t/grokrules-config-analyzer.
What about Copilot instructions?
Not in the detector at the moment. The current four formats are CLAUDE.md, AGENTS.md, .cursorrules, .grokrules. A Copilot instructions file pasted into ccmd will fall through to the default branch (claude.md) and still get the same four token-bloat findings, because the patterns are about how an LLM reads rules, not about the filename. The result header will say 'claude.md', the findings are still applicable.
What is the dollar cost of one bloat finding?
The analyzer prints a tokenSavings per finding. Multiply by turns per session and your input rate. On Opus 4.7 at $15 per million tokens, a single 40-token bloat finding cut from a CLAUDE.md that fires 30 times in a session is 40 * 30 * 15 / 1_000_000 = $0.018 saved that session, or ~$0.04 if the prompt cache is cold. Small per finding; compounding because the same file rides every session for the rest of the week.
Does the audit upload my file?
No. The free analyzer at ccmd.dev runs the scan in the browser; no POST, no log entry, no copy stored. The paid tier ($9 to $19 a month solo, $49 a team) adds continuous monitoring on a repo you opt in, which does upload the file you choose to monitor. The pricing page at /pricing has the breakdown.
Comments (••)
Leave a comment to see what others are saying.Public and anonymous. No signup.