rigscore v0.7.2
Changes: v0.6.3 โ v0.7.2
Three areas of hardening. No new checks โ deeper detection in the existing ones.
| Change | What it does |
|---|---|
| Negation-aware CRITICAL escalation | Governance rules without negation context now escalate from WARNING to CRITICAL |
| Multi-line injection detection | 2-line sliding window catches prompt injection patterns split across line boundaries |
| Three governance quality checks | TDD/Pipeline Lock, Definition of Done, and git workflow rules now scored |
| Bypass combo detection | Settings combinations that together eliminate all security gates flagged CRITICAL |
| Settings-vs-governance coherence | settings.json cross-referenced against CLAUDE.md for contradictions |
CLAUDE.md: negation handling
Previous versions flagged governance keywords by presence alone. The problem: a governance file that says “execute commands” โ without the word “never” โ looked the same as one that said “never execute commands”. Both matched the keyword. Neither triggered a finding.
v0.7.2 changes this. Governance rules without negation context now escalate from WARNING to CRITICAL:
- “execute commands” โ CRITICAL (no negation โ appears to permit it)
- “never execute commands” โ PASS (negated โ correctly restricts it)
- “prevent command execution” โ PASS (defensive framing โ recognized as a restriction)
The negation check recognizes never, don't, do not, without, prevent, prohibit, disallow, forbidden, and not allowed. Ambiguous rules fail closed โ CRITICAL until negation is explicit.
What to fix: Review your governance file for rules that state actions without explicit prohibition. “Users may execute commands” and “the agent can execute commands” are now findings. “Never execute commands” and “command execution is forbidden” are not.
CLAUDE.md: multi-line injection detection
Standard injection detection scans one line at a time. The bypass technique is simple: split the injection payload across two lines. ignore previous on one line, instructions on the next โ neither line triggers a single-line detector.
v0.7.2 adds a 2-line sliding window. The scanner combines adjacent lines before matching, catching patterns that cross line boundaries. The sliding window applies to all injection pattern families: override patterns, role reassignment, trust exploitation, privilege escalation.
The scanner also includes defensive context detection: a line like “prevent injection attacks” or “scan for ignore-previous patterns” contains injection keywords but in a protective context. These are downgraded from CRITICAL to INFO, not suppressed entirely.
CLAUDE.md: three governance quality checks
Three new governance quality dimensions now affect the CLAUDE.md score:
TDD/Pipeline Lock: Does your governance file define rules around test-first development or pipeline gates? Agents that write code without test requirements can introduce untested changes at scale. Governance that defines when and how tests are written constrains this.
Definition of Done: Does your governance define what “complete” means? Without a DoD, agents declare tasks done when they’ve satisfied the prompt โ not when the work is actually production-ready. Governance that specifies quality gates (lint, tests, review) enforces completion criteria.
Git workflow rules: Does your governance define branch strategy, commit conventions, and merge process? Agents that push directly to main or squash unreviewed changes bypass the review process that catches mistakes.
Missing any of these is a WARNING in the CLAUDE.md check. The score impact is proportional โ three missing rules produce a lower score than one.
Claude settings: bypass combo detection
Individual settings flags โ enableAllProjectMcpServers, skip-permissions, broad allow-lists โ each carry some risk. v0.6.3 flagged them individually. v0.7.2 detects when they combine into something worse.
Two compound patterns now trigger CRITICAL findings:
Pattern 1 โ Auto-approve with broad access: enableAllProjectMcpServers paired with hooks that grant broad filesystem access. The combination means: all MCP servers are trusted automatically, and hooks can touch any file without a permission gate. No human ever reviews what’s running or what it can access.
Pattern 2 โ Skip-permissions with broad allow-list: skip-permissions paired with allow-list entries that permit arbitrary operations (broad sudo, arbitrary pip install, unrestricted docker run). The combination means: the permission check is skipped, and when it does run, it allows anything on the list. Two bypass mechanisms in the same config.
Individual settings are still flagged as WARNING or INFO depending on context. Compound patterns produce an additional CRITICAL on top.
Coherence: settings vs. governance alignment
The coherence check was already comparing governance claims against actual configuration โ but it wasn’t reading settings.json. v0.7.2 closes that gap.
If your CLAUDE.md requires approval gates for destructive operations but settings.json has bypassPermissions: true, that’s a contradiction. The governance file says one thing; the runtime config does another. The coherence check now surfaces this as a finding.
The cross-reference covers:
- Approval gate requirements in governance vs.
bypassPermissionsin settings - Anti-injection rules in governance vs. hooks that skip the
UserPromptSubmitlifecycle event - Access restrictions in governance vs.
enableAllProjectMcpServerswithout per-project review
Contradictions between governance and settings produce a CRITICAL coherence finding, which triggers the compound risk penalty on top of the per-check deduction.
Run it
| |
No accounts, no telemetry, no network calls. MIT licensed.
Configuration details reflect a production environment at time of writing. Implementation specifics vary based on tooling versions, platform updates, and organizational requirements. Validate approaches against current documentation before deployment.