Build a rig
Inspect locally
Use rig inspect on your own artifact before publishing.
The same rig inspect you'd use to peek at someone
else's rig is the last gate before publishing your own.
rig pack
rig inspect ./dist/<name>-<version>.rig.tgzWhat to look for
Manifest section
Confirm:
[rig].name,author,versionare right.[env].requiredmatches what your scripts actually read.[tools].requiredincludes everything you actually shell out to.[mcp].serversis the full list (compare against.mcp.json).[permissions]doesn't grant more than your rig actually needs (least privilege).[sync], if present, points at the right relay.
File list
Read it. Look for:
outputs/,notes/,private/,research/— if any of these slipped in, fix[package].excludeand re-pack..env,secrets.json,credentials.json,*.pem,*.key— these should be in default excludes already, but verify.- Anything you don't recognise.
Safety warnings
rig inspect prints a section like:
warnings:
- data/scratch/transcript.json: looks like ~120 email addresses
- examples/output.md: contains a likely private key blockThese come from the safety checks. Each one is heuristic — review and decide. If a warning is a false positive, you can ship; if it's real, fix it before publishing.
Test installs
The round-trip:
rig hub use ./dist/foo-0.1.0.rig.tgz --dir /tmp/test-foo
cd /tmp/test-foo
rig install --interactive
rig doctorIf rig doctor comes up green and you can claude and have a productive
session, the rig is ready to publish.
Diff against the previous version
If you have the previous artifact, compare manifests:
rig inspect ./dist/foo-0.1.0.rig.tgz --json | jq '.manifest' > prev.json
rig inspect ./dist/foo-0.2.0.rig.tgz --json | jq '.manifest' > new.json
diff prev.json new.jsonThis catches accidentally-removed env vars, dropped MCP servers, broken permissions, version bumps that shouldn't have happened.