Skip to main content

Does your CLAUDE.md actually do anything? Trap-test your agent rules in isolated sessions and get honest deltas.

Project description

rulebench

Does your CLAUDE.md actually do anything? Point rulebench at your rules and find out.

rulebench runs trap tests across named rule configurations (no rules, your rules, your rules + skills, anything you define) in fresh isolated Claude Code sessions, grades the outputs against pre-written rubrics, and reports honest deltas: what your rules changed, what they didn't, and what never ran.

Born from rules-with-receipts, where the eval harness found that most of a rules pack's claimed value was already baseline model behavior, and the real wins were narrow and specific. This tool makes that measurement reusable for any rules file.

Quick start

pipx install rulebench   # the CLI (needs python3 3.9+ and the `claude` CLI on PATH)
git clone https://github.com/ralfyishere/rulebench && cd rulebench   # for the starter traps
cp config.example.json config.json   # edit: point conditions at YOUR rules artifacts
rulebench config.json --reps 3       # costs real API tokens

Installed via pipx you get the rulebench command; the nine starter trap tests live in this repo's tests/, so clone it (or write your own traps) and point tests_dir at them.

Output: results/<timestamp>/REPORT.md (scores table + honesty section + per-cell verdicts with evidence) and results/<timestamp>/raw/ (every session's full output and workspace diff).

How it works

  • Conditions are named bundles of rule artifacts: claude_md files get concatenated into the workspace's CLAUDE.md; skills directories get copied to .claude/skills/. An empty condition {} is your baseline.
  • Tests are folders under tests/: a test.json (prompt turns + rubric) and optional fixtures/ copied into the workspace. Multi-turn tests continue the same session. Ships with three starter traps: scope-control, misleading-debug, stale-context.
  • Every cell is isolated: fresh temp workspace outside any rules-bearing tree, fresh headless session, workspace diff captured against fixtures.
  • Grading is rubric-first: the rubric is written before running; a grader model applies it per cell with schema-enforced verdicts (PASS/PARTIAL/FAIL) and a required evidence quote.
  • Quota stubs are NOT RUN, never FAIL. Provider limit messages mid-batch bias results toward whichever condition ran first; rulebench detects and excludes them, and tells you.

Reading the report

The honesty section is the point:

  • Tests where all conditions tie are measuring the model, not your rules.
  • Only differentiated tests say anything about your rules file.
  • Medians of 1 rep are noise. Use --reps 3 minimum for anything you'll act on.
  • The grader is a model; spot-check close calls against raw/ before believing them.

Writing your own trap

The starter tests will saturate quickly, and public traps invite overfitting. Write private ones:

  1. Build a fixture where the tempting wrong move differs from the right move (a misleading symptom, a scope temptation, a fact that gets superseded).
  2. Verify the fixture by execution before trusting any run (the crash must crash, the bait must be real).
  3. Write the rubric before the first run: PASS/PARTIAL/FAIL in terms of observable behavior only.

Security: rules files are untrusted code

A rules file is instructions an agent will follow with tool access. Loading an untrusted one is running untrusted code. Screen any third-party CLAUDE.md, .cursorrules, AGENTS.md, or skill before it enters a session:

rulebench vet path/to/CLAUDE.md      # a file
rulebench vet path/to/repo           # or a whole repo (finds rules files)
rulebench vet ./rules --json         # machine-readable, for CI

vet is offline and instant — no model calls. It flags known-shape risks: pipe-to-shell, credential/env access, exfiltration shapes, always-run directives, destructive commands, out-of-project writes, hidden text, and instruction-override language. HIGH means act; MEDIUM means glance. It exits nonzero on HIGH (tune with --fail-on), so it drops into CI.

A clean vet means "no known-shape red flags", not "safe". Pattern matching cannot catch cleverly-worded natural-language social engineering. Read anything you're about to let an agent follow, run unfamiliar rules on a machine you don't mind rebuilding, and never with credentials you can't rotate.

Honest limitations

  • Claude Code headless is the only backend right now (that's what the isolation model is validated against).
  • Runs cost real API tokens: cells × reps × turns, plus one grader call per cell.
  • Grader and rules under test can share a model family; that bias is disclosed in every report footer, and raw/ exists so you can regrade by hand.
  • This tool measures behavior deltas on your traps. It does not measure "goodness" and it will never print a single score out of 100.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

rulebench-0.2.0.tar.gz (11.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

rulebench-0.2.0-py3-none-any.whl (13.1 kB view details)

Uploaded Python 3

File details

Details for the file rulebench-0.2.0.tar.gz.

File metadata

  • Download URL: rulebench-0.2.0.tar.gz
  • Upload date:
  • Size: 11.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for rulebench-0.2.0.tar.gz
Algorithm Hash digest
SHA256 f85ab6568c5df59cbd11f9dd696705a7dccaef22069c3b55786d33774cf76b4f
MD5 b50a4691ef4ec32651f6d0f57c93c9ee
BLAKE2b-256 4fb49d6c195fa1cb8d23e2ceab070a085cabcd32c7fedaf17eefcc685db1ef49

See more details on using hashes here.

Provenance

The following attestation bundles were made for rulebench-0.2.0.tar.gz:

Publisher: publish.yml on ralfyishere/rulebench

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file rulebench-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: rulebench-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 13.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for rulebench-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 89cc07a537d1b1e795dbdd63297338323005625b761a5112f3fa4bc5e8f158b8
MD5 bf53aea97f22d3ce37b8f7b48b2c8c73
BLAKE2b-256 cda15f6e21ad654b0c33ad5e9b6a1ba2d3b140b979b50f7fd832ba3727dd5730

See more details on using hashes here.

Provenance

The following attestation bundles were made for rulebench-0.2.0-py3-none-any.whl:

Publisher: publish.yml on ralfyishere/rulebench

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page