Source specifiers

A source specifier is the argument to rig use, rig inspect, and (sometimes) rig hub update.

Resolution details

hub:

Two HTTP calls:

GET https://userig.xyz/api/v1/packages/{author}/{name}
GET https://userig.xyz/api/v1/packages/{author}/{name}/{version}/artifact

The first returns metadata (latest version, description). The second returns the tarball with an X-Rig-SHA256 header used to verify integrity.

If you've set RIG_HUB_URL, the CLI hits that base instead — useful for self-hosted Hubs and CI mocks.

github:

The CLI calls GitHub's releases API and downloads the first .rig.tgz asset attached to the release. Omit @tag to use the latest release.

This is the friction-free path for open-source rigs without a Hub account. See Publish to GitHub releases.

./path.rig.tgz

Direct local file path. No network. Useful for testing a freshly-packed artifact:

rig pack
rig hub use ./dist/foo-0.1.0.rig.tgz --dir /tmp/test

registry:

A local file registry is a directory with an index.json and a blobs/ folder. Resolution reads {registry}/index.json, finds the requested version, and reads the blob from {registry}/blobs/<author>__<name>__<version>.rig.tgz.

The registry path is configured with RIG_REGISTRY_DIR or via flags. See Local registries.

Verification

The CLI verifies SHA-256 hashes whenever they're available:

• hub: — from the X-Rig-SHA256 response header.
• registry: — from index.json.
• ./path.rig.tgz and github: — not verified (no canonical hash source).

See also

• Install a rig
• Hub publishing
• GitHub releases
• Local registries