~ / headless_mode /
$ map $ tools โš  AI - No Warranty โš 
$ For millions of years mankind lived just like animals. Then something happened which unleashed the power of our imagination.

rigscore v0.4.0

rigscore, security, ai, devtools, mcp, open-source

Changes: v0.3.0 โ†’ v0.4.0

Four additions. Check count goes from 9 to 10.

FeatureWhat it does
--watchMonitors project directory, re-scans affected checks on file change, reports score deltas
Windows/WSL securityAdvisory check โ€” WSL interop exposure, Windows PATH injection, mount permissions, Defender exclusion gaps
Plugin systemCustom checks via JS modules that export the rigscore check interface
--init-hookRuns a script before scanning starts โ€” bootstrap config, pull allowlists, set up fixtures

Watch mode

The original workflow was: change something, remember to run rigscore, look at the score. The problem is the “remember to” part. Configurations drift between scans โ€” new MCP servers get added, .env files show up outside .gitignore, extensions change agent scope.

--watch keeps rigscore running. It watches config files and re-evaluates on change. Output shows which checks were affected and the score delta.

1

npx rigscore --watch

Windows/WSL security

10th check. Advisory-only โ€” no point impact, but it flags attack surfaces specific to WSL2 development:

  • WSL interop โ€” whether Windows binaries can execute from the Linux side by default
  • PATH injection โ€” whether Windows executables can shadow Linux tools
  • Mount permissions โ€” whether Windows drives are mounted with permissive defaults
  • Defender exclusions โ€” whether dev directories are excluded from AV scanning, creating blind spots

This matters because a lot of AI development happens in WSL2, and the boundary between the Windows and Linux sides is more porous than most people assume.

Plugins and init hooks

Plugins let organizations codify their own checks โ€” internal MCP server allowlists, required governance patterns, custom secret formats. A plugin is a JS module that exports the standard check interface. It runs alongside the built-in checks and contributes to the score.

Init hooks run a script before scanning starts. Use case: pulling a dynamic allowlist, bootstrapping project config, or setting up test fixtures before rigscore evaluates the environment.

1
2
3
4
5

# Run with a custom check plugin
npx rigscore --plugin ./our-org-policy.js

# Run a setup script before scanning
npx rigscore --init-hook ./bootstrap.sh

Scoring weight unchanged

The moat checks still carry the majority of the score:

CheckPoints
MCP supply chain18
Cross-config coherence18
Skill file safety12
CLAUDE.md governance12

60 of 100 points come from AI-specific configuration. The remaining 40 cover secrets, containers, git hooks, and permissions. Windows/WSL is advisory and doesn’t affect the numeric score.

Rationale for the weighting: MCP server misconfiguration and governance contradictions are the highest-impact risks in an AI dev environment, and they’re the checks that don’t exist in other tools.

Install

1

npx rigscore

No accounts, no telemetry, no network calls. MIT licensed.

github.com/joepetjr/rigscore

Configuration details reflect a production environment at time of writing. Implementation specifics vary based on tooling versions, platform updates, and organizational requirements. Validate approaches against current documentation before deployment.

โ† Back to Journal