AI agent governance, security tooling, and mechanical enforcement.

rigscore v0.8.0

  • #rigscore
  • #security
  • #ai
  • #devtools
  • #open-source

Changes: v0.7.2 → v0.8.0

Two new checks, a distribution model change, and release automation fixes.

Features

  • infrastructure-security check — verifies host-level defenses: root-owned git hooks, git safety wrapper, shell safety guard, immutable config dirs, settings deny-list, sandbox gate
  • site-security check — probes deployed sites over live HTTP (opt-in via --online): security headers, exposed sensitive paths, TLS certificate expiry
  • Single-channel distribution — install via npx github:Back-Road-Creative/rigscore; npm dropped, fewer supply-chain surfaces

Fixes

  • Release workflow consolidation — one release.yml drives tag, GitHub release, headlessmode journal post, and tool-page sync
  • workflow_dispatch on release — manual re-trigger now possible when a release run fails mid-flight

Infrastructure-security check

rigscore started as an AI-dev hygiene tool — governance files, skill files, MCP configs. v0.8.0 extends the hygiene model to the host that runs those agents. The new infrastructure-security check (Linux-only) verifies that the machine’s defensive layers are actually in place:

  • Root-owned global git hooks (pre-commit, pre-push, commit-msg in /opt/git-hooks) plus a root-owned git safety wrapper
  • A shell safety guard (/etc/profile.d/safety-gates.sh) that blocks dangerous patterns like chmod 777
  • chattr +i immutability on configured protected directories
  • A settings.json deny-list covering destructive commands (git push --force, git reset --hard, rm -rf, direct pushes to main/master)
  • A sandbox gate registered as a PreToolUse hook for Write/Edit/Bash protection

The check is weighted 6 points — same as docker-security — and slots into the hygiene side of the scoring model.


Site-security check

Deployed sites are a surprisingly rich leak surface. The new site-security check probes your live sites over HTTP — it only runs when you opt in with --online; without the flag it’s skipped entirely. For each configured site it checks:

  • Security headers — missing Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, or Strict-Transport-Security is a critical finding; Referrer-Policy and Permissions-Policy are advisory
  • Exposed sensitive paths — probes for reachable .env* files, .git/config, backup archives and SQL dumps, admin panels, and server-status pages
  • TLS certificate expiry
  • Secret patterns (API keys, tokens) in served JavaScript

Unlike infrastructure-security, this check is advisory — weight 0, no score impact.


npm dropped — GitHub only

rigscore was briefly published to npm. It isn’t anymore. The distribution surface is now a single path:

1npx github:Back-Road-Creative/rigscore

Two reasons. First, the npm account adds a supply-chain surface (2FA reset attacks, account takeovers) that a scoring tool built to warn you about supply-chain attacks shouldn’t introduce. Second, the github: protocol pins to a tag or branch — users can audit exactly what they’re running without an opaque registry indirection.

The npm install -g rigscore path is gone. No migration: change rigscore to npx github:Back-Road-Creative/rigscore in your CI and local shell.


Release plumbing

The v0.8.0 release cycle exposed a handful of CI gaps. Three fixes landed:

  • release.yml consolidated from two overlapping workflows into one
  • workflow_dispatch added so a failed release can be re-run manually without retagging
  • Git log sourcing for the auto-generated headlessmode journal post fixed — previous releases published with empty commit tables

github.com/Back-Road-Creative/rigscore

Try it → GitHub → All releases →
← Back to Releases