Build a rig
Safety checks
The warnings rig surfaces during pack and inspect — what they mean and what to do.
rig pack and rig inspect scan files in the artifact for things that
typically shouldn't be shared. They're conservative heuristics, not a
guarantee. Read every warning.
What gets checked
| Check | Triggers on | Why it matters |
|---|---|---|
| Likely secrets | High-entropy strings that resemble API keys, tokens | Could be a real credential |
| Private key blocks | -----BEGIN ... PRIVATE KEY----- markers | Almost certainly a real key |
.env-shaped files | Files matching *.env, *.env.* | Default exclude, but flagged if force-included |
| Large files | Files above a size threshold | Bloats the artifact; usually unintended |
| Local private paths | Hardcoded /Users/..., /home/... paths | Won't work for the installer; may leak who you are |
| Database files | *.db, *.sqlite | Often contains personal data |
| Bulk email addresses | A file with many @-bearing strings | Could be a contact list, mailing list, or PII |
Each warning prints a file path and a brief reason. Nothing is auto-removed.
What to do
For each warning:
- Open the file.
- Decide if shipping it is what you actually want.
- If yes, ignore the warning.
- If no, either delete the file, add it to
[package].exclude, or add it to.rigignore.
Re-run rig pack && rig inspect until the warning list is the one you mean
to ship with.
What's always excluded regardless
The default excludes — .env, *.key,
*.pem, .git/, node_modules/, etc. — apply even if you don't customise
[package]. You'd have to explicitly rig add one of those patterns to ship
it. If you do, the safety check will warn loudly.
Pre-publish checklist
Before rig hub publish:
-
rig packproduces a clean warning list (or each warning is reviewed). -
rig inspectfile list contains only what you mean to ship. - No
.env, no*.key, noprivate/content. - Manifest version is correct (
[rig].version). - Round-trip test install +
rig doctorpasses.