Does your CLAUDE.md actually do anything? Trap-test your agent rules in isolated sessions and get honest deltas.
Project description
rulebench
Does your CLAUDE.md actually do anything? Point rulebench at your rules and find out.
rulebench runs trap tests across named rule configurations (no rules, your rules, your rules + skills, anything you define) in fresh isolated Claude Code sessions, grades the outputs against pre-written rubrics, and reports honest deltas: what your rules changed, what they didn't, and what never ran.
Born from rules-with-receipts, where the eval harness found that most of a rules pack's claimed value was already baseline model behavior, and the real wins were narrow and specific. This tool makes that measurement reusable for any rules file.
Quick start
pipx install rulebench # the CLI (needs python3 3.9+ and the `claude` CLI on PATH)
git clone https://github.com/ralfyishere/rulebench && cd rulebench # for the starter traps
cp config.example.json config.json # edit: point conditions at YOUR rules artifacts
rulebench config.json --reps 3 # costs real API tokens
Installed via pipx you get the rulebench command; the nine starter trap tests live in this repo's tests/, so clone it (or write your own traps) and point tests_dir at them.
Output: results/<timestamp>/REPORT.md (scores table + honesty section + per-cell verdicts with evidence) and results/<timestamp>/raw/ (every session's full output and workspace diff).
How it works
- Conditions are named bundles of rule artifacts:
claude_mdfiles get concatenated into the workspace'sCLAUDE.md;skillsdirectories get copied to.claude/skills/. An empty condition{}is your baseline. - Tests are folders under
tests/: atest.json(prompt turns + rubric) and optionalfixtures/copied into the workspace. Multi-turn tests continue the same session. Ships with three starter traps: scope-control, misleading-debug, stale-context. - Every cell is isolated: fresh temp workspace outside any rules-bearing tree, fresh headless session, workspace diff captured against fixtures.
- Grading is rubric-first: the rubric is written before running; a grader model applies it per cell with schema-enforced verdicts (PASS/PARTIAL/FAIL) and a required evidence quote.
- Quota stubs are NOT RUN, never FAIL. Provider limit messages mid-batch bias results toward whichever condition ran first; rulebench detects and excludes them, and tells you.
Reading the report
The honesty section is the point:
- Tests where all conditions tie are measuring the model, not your rules.
- Only differentiated tests say anything about your rules file.
- Medians of 1 rep are noise. Use
--reps 3minimum for anything you'll act on. - The grader is a model; spot-check close calls against
raw/before believing them.
Writing your own trap
The starter tests will saturate quickly, and public traps invite overfitting. Write private ones:
- Build a fixture where the tempting wrong move differs from the right move (a misleading symptom, a scope temptation, a fact that gets superseded).
- Verify the fixture by execution before trusting any run (the crash must crash, the bait must be real).
- Write the rubric before the first run: PASS/PARTIAL/FAIL in terms of observable behavior only.
Security: rules files are untrusted code
A rules file is instructions an agent will follow with tool access. Loading an untrusted one is running untrusted code. Screen any third-party CLAUDE.md, .cursorrules, AGENTS.md, or skill before it enters a session:
rulebench vet path/to/CLAUDE.md # a file
rulebench vet path/to/repo # or a whole repo (finds rules files)
rulebench vet ./rules --json # machine-readable, for CI
vet is offline and instant — no model calls. It flags known-shape risks: pipe-to-shell, credential/env access, exfiltration shapes, always-run directives, destructive commands, out-of-project writes, hidden text, and instruction-override language. HIGH means act; MEDIUM means glance. It exits nonzero on HIGH (tune with --fail-on), so it drops into CI.
A clean vet means "no known-shape red flags", not "safe". Pattern matching cannot catch cleverly-worded natural-language social engineering. Read anything you're about to let an agent follow, run unfamiliar rules on a machine you don't mind rebuilding, and never with credentials you can't rotate.
Honest limitations
- Claude Code headless is the only backend right now (that's what the isolation model is validated against).
- Runs cost real API tokens: cells × reps × turns, plus one grader call per cell.
- Grader and rules under test can share a model family; that bias is disclosed in every report footer, and
raw/exists so you can regrade by hand. - This tool measures behavior deltas on your traps. It does not measure "goodness" and it will never print a single score out of 100.
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file rulebench-0.2.0.tar.gz.
File metadata
- Download URL: rulebench-0.2.0.tar.gz
- Upload date:
- Size: 11.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f85ab6568c5df59cbd11f9dd696705a7dccaef22069c3b55786d33774cf76b4f
|
|
| MD5 |
b50a4691ef4ec32651f6d0f57c93c9ee
|
|
| BLAKE2b-256 |
4fb49d6c195fa1cb8d23e2ceab070a085cabcd32c7fedaf17eefcc685db1ef49
|
Provenance
The following attestation bundles were made for rulebench-0.2.0.tar.gz:
Publisher:
publish.yml on ralfyishere/rulebench
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
rulebench-0.2.0.tar.gz -
Subject digest:
f85ab6568c5df59cbd11f9dd696705a7dccaef22069c3b55786d33774cf76b4f - Sigstore transparency entry: 2108926837
- Sigstore integration time:
-
Permalink:
ralfyishere/rulebench@73e8a25967cc7b867c8088d7d4817620d459daa7 -
Branch / Tag:
refs/tags/v0.2.0 - Owner: https://github.com/ralfyishere
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@73e8a25967cc7b867c8088d7d4817620d459daa7 -
Trigger Event:
release
-
Statement type:
File details
Details for the file rulebench-0.2.0-py3-none-any.whl.
File metadata
- Download URL: rulebench-0.2.0-py3-none-any.whl
- Upload date:
- Size: 13.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
89cc07a537d1b1e795dbdd63297338323005625b761a5112f3fa4bc5e8f158b8
|
|
| MD5 |
bf53aea97f22d3ce37b8f7b48b2c8c73
|
|
| BLAKE2b-256 |
cda15f6e21ad654b0c33ad5e9b6a1ba2d3b140b979b50f7fd832ba3727dd5730
|
Provenance
The following attestation bundles were made for rulebench-0.2.0-py3-none-any.whl:
Publisher:
publish.yml on ralfyishere/rulebench
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
rulebench-0.2.0-py3-none-any.whl -
Subject digest:
89cc07a537d1b1e795dbdd63297338323005625b761a5112f3fa4bc5e8f158b8 - Sigstore transparency entry: 2108926982
- Sigstore integration time:
-
Permalink:
ralfyishere/rulebench@73e8a25967cc7b867c8088d7d4817620d459daa7 -
Branch / Tag:
refs/tags/v0.2.0 - Owner: https://github.com/ralfyishere
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@73e8a25967cc7b867c8088d7d4817620d459daa7 -
Trigger Event:
release
-
Statement type: