rigging cheatsheet

One-page reference ยท v0

Rigging cheatsheet.

Print this and stick it on the wall. Everything you need to write your first rig.

โ‘  Build a rig

from rigging.runtime import Rig
from rigging.identity import KeyPair, generate_keypair
from rigging.adapters import LocalPythonAdapter

planner_key = generate_keypair()
worker_key  = generate_keypair()

rig = Rig(name="my-system")
rig.register(planner, keypair=planner_key)
rig.register(worker,  keypair=worker_key)

โ‘ก Delegate

result = await rig.call(
    caller=planner,
    callee_did=worker.did,
    capability="translate_pdf",
    input={"uri": "s3://docs/x.pdf",
           "target_language": "fr"},
    cost_budget=("usd", "0.50"),
    verifier=quality.did,
)

โ‘ข Inspect

trace = rig.finish()
trace.write("trace.json")

# CLI
rig trace inspect ./trace.json
rig trace inspect --highlight=blame

Typed errors you may get

  • VerifierRejected โ€” verifier signed a reject verdict.
  • BudgetOverrun โ€” callee exceeded the contract budget.
  • BudgetExhausted โ€” caller's parent budget already spent.
  • ContractExpired โ€” wall-clock past expires.
  • ContractRejected โ€” callee declined the proposal.
  • CalleeUnreachable โ€” DID not registered.
  • VerifierUnreachable โ€” verifier DID not registered.
  • SignatureInvalid โ€” JWS does not verify.
  • CapabilityMismatch โ€” capability or schema does not match the card.
  • PolicyDenied โ€” runtime policy refused.
  • RecursionCapExceeded โ€” contract or verifier nesting cap hit.

Span kinds in the trace

  • rig.contract.propose โ€” caller-signed contract sent to callee.
  • rig.contract.accept โ€” callee-signed acceptance.
  • rig.contract.reject โ€” callee declined (with reason).
  • rig.contract.void โ€” runtime voided (expired / overrun / unreachable / signature).
  • rig.execute โ€” callee ran the capability; output envelope attached.
  • rig.verify โ€” verifier sub-contract; verdict envelope attached.
  • rig.cost.debit โ€” ledger entry against the contract.

The six refusals

  • routing against unsigned cards.
  • contracts whose capabilities are undeclared.
  • silent retries.
  • attributing cost to anyone but the contract holder.
  • admitting unverified output as verified.
  • being a marketplace, scheduler, router, or harness.

CLI

rig identity create
rig identity show
rig identity verify card.json

rig run 01-two-agent-handoff
rig run 03-adversarial-subagent

rig trace inspect ./trace.json
rig bench
rig bench --full
rig spec validate docs/spec/...

Mental model

  • Cards โ€” who an agent is and what it claims.
  • Contracts โ€” what A asked B to do, signed.
  • Blame โ€” which envelope, walked backwards, caused the failure.
  • The rig uses MCP and A2A; it does not replace them.
  • The rig has no LLM-specific code in core. Provider concerns live in adapters.

When in doubt

  • Always pass cost_budget. No exceptions.
  • Always pass verifier in production.
  • Refuse silent retries. If your code has except / retry around rig.call, that's an explicit retry contract โ€” sign and trace it.
  • If you find yourself importing cryptography outside rigging-identity, you missed a layer.