Big News: Socket raises $60M Series C at a $1B valuation to secure software supply chains for AI-driven development.Announcement
Sign In

@rigour-labs/cli

Package Overview
Dependencies
Maintainers
4
Versions
84
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@rigour-labs/cli

AI-native quality gates with local LLM analysis. Forces AI agents (Claude, Cursor, Copilot, Cline, Windsurf) to meet engineering standards. Bayesian Brain learns your codebase. Zero config: npx rigour-scan.

latest
Source
npmnpm
Version
5.2.9
Version published
Maintainers
4
Created
Source

@rigour-labs/cli

npm version npm downloads License: MIT

AI Agent Governance CLI — quality gates, DLP, drift detection, and deep analysis. Rigour governs what goes IN (DLP), what comes OUT (quality gates), and what gets PERSISTED (memory governance).

Core gates run locally. Deep analysis can run local or cloud provider mode.

🚀 Quick Start

npx @rigour-labs/cli scan     # Zero-config scan (auto-detect stack)
npx @rigour-labs/cli init     # Initialize config, hooks, DLP, governance
npx @rigour-labs/cli check    # Verify code quality (27+ gates)
npx @rigour-labs/cli run -- claude "Build feature X"  # Agent loop

🍺 Homebrew

brew tap rigour-labs/tap
brew install rigour

🛑 The Problem

AI agents are powerful but ungoverned. They claim success based on narrative, not execution. Credentials get cached in agent memory. Imports get hallucinated. Code quality drifts across sessions.

Rigour breaks this cycle with deterministic PASS/FAIL gates, credential interception, and memory governance — all local-first.

🔄 How It Works

Agent writes code → Rigour checks → FAIL? → Fix Packet → Agent retries → PASS ✓
DLP: User input → Credential scan → BLOCK before agent sees it
Memory: Agent writes CLAUDE.md → Rigour intercepts → Forces rigour_remember (DLP-scanned)

⚙️ Quality Gates (27+ Deterministic)

Structural & Security Gates

GateDescription
File SizeMax lines per file (default: 300-500)
Content HygieneNo TODO/FIXME comments allowed
AST AnalysisCyclomatic complexity, method count, nesting depth, function length
Required DocsSPEC.md, ARCH.md, README must exist
File GuardProtected paths, max files changed
Security PatternsXSS, SQL injection, hardcoded secrets, command injection, path traversal
Frontend Secret ExposureAPI keys in client-side bundles
Deprecated APIsNode, Python, Web, Go, C#, Java deprecated usage
Test QualityEmpty tests, tautological assertions, mock-heavy, snapshot abuse
Side-Effect SafetyUnbounded timers, recursive depth, resource lifecycle, retry loops

AI-Native Drift Detection

GateDescription
Hallucinated ImportsImports referencing non-existent modules (JS/TS, Python, Go, Ruby, C#, Rust, Java, Kotlin)
Phantom APIsNon-existent stdlib/framework methods the LLM invented
Promise SafetyUnhandled async, unsafe JSON.parse, floating fetch across 6 languages
Duplication DriftThree-pass: MD5 exact → AST Jaccard (tree-sitter) → semantic embedding (384D cosine)
Style DriftNaming conventions, error handling, import style fingerprinted against project baseline
Logic DriftComparison operators (>= → >), branch counts, return statements tracked per function
Context Window ArtifactsQuality degradation within long files — clean top, messy bottom
Inconsistent Error HandlingSame error type handled differently across sessions
Dependency BloatUnused deps, heavy alternatives (moment→dayjs), duplicate purpose packages

Agent Governance

GateDescription
Memory GovernanceBlocks agent writes to CLAUDE.md, .clinerules, .windsurf/memories/
Skills GovernanceBlocks agent writes to .claude/skills/, .cursor/rules/
Governance DLPScans content written to any governed file for credentials

Two-Score System

Every failure carries a provenance tag (ai-drift, traditional, security, governance) and contributes to two sub-scores: AI Health Score (0–100) and Structural Score (0–100).

🔒 AI Agent DLP (Data Loss Prevention)

Real-time credential interception via PreToolUse hooks — blocks credentials before agents see them.

  • 29 credential patterns: AWS, GCP, Azure, OpenAI, Anthropic, GitHub, Stripe, private keys, database URLs, JWTs, CI/CD tokens
  • Anti-evasion: Unicode normalization, zero-width char removal, bidi control stripping, Shannon entropy detection (>4.5 bits)
  • Compliance mapped: SOC2-CC6.1, HIPAA-164.312, PCI-DSS-3.4/3.5/6.5, OWASP-A2, CWE-798

🔗 Real-Time Hooks

Two-tier supervision: inline hooks (<200ms per file write) + checkpoint suite (full gates).

rigour hooks init                    # auto-detect tool, install hooks + DLP
rigour hooks init --tool all         # all tools at once
rigour hooks init --block            # exit code 2 on failures (strict mode)
rigour hooks init --no-dlp           # skip DLP hooks
rigour hooks check --files src/a.ts  # manual fast check

Supported tools: Claude Code, Cursor, Cline, Windsurf — each with quality (post-write) and DLP (pre-write) hooks.

🧠 Deep Analysis (LLM-Powered)

Five-signal extraction → LLM interpretation → deterministic verification pipeline.

rigour check --deep                  # Local sidecar (Qwen2.5-Coder-0.5B, any CPU)
rigour check --deep --pro            # Full model (Qwen2.5-Coder-1.5B)
rigour check --deep --provider claude -k sk-ant-xxx  # Cloud BYOK

🌐 Multi-Language Support

Hallucinated import detection with stdlib whitelists and dependency manifest parsing:

JS/TS (Node.js builtins, package.json) · Python (160+ stdlib, local modules) · Go (150+ stdlib, go.mod) · Ruby (80+ stdlib, Gemfile) · C#/.NET (.NET 8 namespaces, .csproj) · Rust (std/core/alloc, Cargo.toml) · Java (java/javax/jakarta, build.gradle/pom.xml) · Kotlin (kotlin/kotlinx + Java interop, build.gradle.kts)

🛠️ Commands

CommandPurpose
rigour scanZero-config stack-aware scan (auto-detect)
rigour scan --deepZero-config + local LLM deep analysis
rigour initSetup config, hooks, DLP, governance
rigour checkFull repository quality gates
rigour check --ciCI mode with minimal output
rigour check --deep+ local LLM analysis
rigour hooks initInstall real-time hooks for detected tools
rigour hooks check --files ...Fast hook gates on specific files
rigour explainDetailed explanation of failures
rigour runSupervisor loop for agent refinement
rigour run --supervisedFull supervisor mode (iterative command + gate loop)
rigour studioDashboard for monitoring
rigour brainLocal memory status (SQLite)
rigour brain --compactPrune old findings, reclaim disk
rigour doctorDiagnose install + deep readiness
rigour export-auditExport compliance audit report (JSON/Markdown)
rigour demoLive demo on synthetic or real repos
rigour settingsManage API keys and provider config

🤖 Works With

  • Claude Code: rigour run -- claude "..." + real-time hooks
  • Cursor: Via MCP server + .cursor/hooks.json
  • Cline: Via MCP server + .clinerules/hooks/ scripts
  • Windsurf: Via MCP server + .windsurf/hooks.json
  • Gemini: Via MCP server (rigour_check, rigour_explain)
  • GitHub Actions: npx @rigour-labs/cli check --ci

📖 Documentation

📚 Full Documentation →

Quick Links
Getting StartedInstall and run in 60 seconds
CLI ReferenceAll commands and options
ConfigurationCustomize quality gates
MCP IntegrationAI agent setup

🧪 CI Integration

- run: npx @rigour-labs/cli check --ci

📜 License

MIT © Rigour Labs

Keywords

ai
llm
ai-code-quality
ai-agent
quality-gates
cli

FAQs

Package last updated on 18 Mar 2026

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems

Security News

RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems

RubyGems and Bundler 4.0.13 introduced an opt-in cooldown feature that delays newly published gems during dependency resolution.

By Sarah Gooding  -  Jun 05, 2026