AI agent governance, security tooling, and mechanical enforcement.

The Practice score: grading the workflow, not just the config

  • #rigscore
  • #ai
  • #governance
  • #practice
  • #workflow
  • #scoring

Every rigscore scan prints two numbers, not one. Security is the familiar hygiene grade — is this rig safe? The second, Practice, asks a question no other scanner does: does this team actually drive its agents well? A repo can be airtight on the first and hollow on the second, and the two scores exist precisely so that neither one hides the other.

Two different questions

Security scores the things that hurt you when they’re wrong: an MCP server mounting /, a plaintext token in a config, a governance file that contradicts the settings next to it. It is about exposure. Practice scores the things that decay quietly when nobody tends them. Are agent loops governed, or does the model run unbounded? Do specs state a goal, or just vibes? Has the team’s skill library matured past copy-paste? Is the sandbox posture deliberate? These don’t leak a secret today. They’re the difference between a workflow that compounds and one that quietly rots — and they were invisible to every tool that only grades the config surface.

What Practice measures

The Practice axis is its own weighted set of checks:

  • Loop governance — are autonomous agent loops bounded and supervised?
  • Spec goals — do specs declare an actual objective a run can be judged against?
  • Workflow maturity — how far along the “prompt → skill → graduated code” path the team’s tooling has moved.
  • Sandbox posture — is the agent’s approval and isolation boundary set on purpose?
  • CI agent caps — are agent capabilities in CI constrained rather than wide-open?
  • Memory hygiene — is persistent agent memory curated, or accreting cruft?
  • AI disclosure — does the project say, plainly, where AI is in the loop?

Each carries a weight on the Practice axis and zero on Security. That separation is the whole point: a mature workflow shouldn’t paper over an exposed secret, and a locked-down config shouldn’t earn credit for governance the team never wrote.

Honest about absence

A repo with no practice surface doesn’t get a punishing 0/100 on the second axis — it prints Practice: n/a, and --json reports practiceScore as null. An npm package isn’t running agent loops, so grading it on loop governance would be theater. Coverage that isn’t there is reported as absent, not as failure. That is the same discipline the Security score follows: unscannable checks go N/A and their weight is redistributed, never silently counted as a zero.

Why bother scoring it at all

Because the failure mode of agentic development isn’t only the dramatic one — the leaked key, the rug-pulled MCP server. It’s the slow one: loops nobody bounded, specs nobody wrote down, a skill library nobody graduated, memory nobody pruned. Those don’t show up in a vulnerability scan. They show up six months later as a workflow no one trusts. The Practice score puts a number on the slow failure while it’s still cheap to fix, and it sits right next to the Security grade so you can’t fix one while pretending the other doesn’t exist.

Two axes, one scan, no token. Read how both are computed on the rigscore docs.

Configuration details reflect a production environment at time of writing. Implementation specifics vary based on tooling versions, platform updates, and organizational requirements. Validate approaches against current documentation before deployment.

← Back to Journal