SigmaShake
Governance rules for AI agents — zero-latency, zero-token enforcement.
SigmaShake is a rule engine that evaluates AI agent tool calls against declarative governance rules before they execute. It operates at the tool-call boundary — no LLM tokens consumed, sub-millisecond latency, deterministic decisions.
What it does
When an AI agent (like Claude Code) calls a tool — running a shell command, editing a file, making a network request — SigmaShake intercepts the call, evaluates it against your ruleset, and returns a decision:
- ALLOW — Let it through
- DENY — Block it with an explanation
- LOG — Allow but record for audit
- SHADOW — Allow silently, log for monitoring
- ASK — Pause and require human approval via dashboard
- FORCE — Block with a suggested substitute command
Why it exists
AI agents are powerful but unpredictable. Without governance:
- Agents run
rm -rf /orgit push --forceon production branches - Agents read
.envfiles containing secrets - Agents install packages without pinning versions
- Agents skip tests, bypass linters, or amend commits they shouldn't
SigmaShake catches these at the boundary, before the damage is done.
Key properties
| Property | Detail |
|---|---|
| Latency | < 2ms per evaluation |
| Dependencies | Zero runtime dependencies (single binary) |
| Transport | Stdin/stdout JSON for CLI, SSE for MCP |
| Storage | SQLite for local, KV for edge |
| Rules | Declarative DSL, hot-reloaded on every eval |
| Audit | Every eval logged with tool, input, decision, rule, timestamp |
Components
| Component | Purpose | URL |
|---|---|---|
| ssg (CLI) | Rule evaluation, linting, dashboard | Local binary |
| Dashboard | Real-time approval UI, audit viewer | localhost:5599 |
| Rules Hub | Public registry of .rules files | hub.sigmashake.com |
| MCP Server | Remote rule evaluation for AI agents | mcp.sigmashake.com |
| Docs | This site | docs.sigmashake.com |
Quick start
# Install
curl -fsSL https://sigmashake.com/install | sh
# Initialize in your project
ssg init
# Start the dashboard
ssg serve
# Evaluate a tool call
echo '{"tool":"Bash","input":{"command":"rm -rf /"}}' | ssg eval
# → {"decision":"block","rule_id":"no-destructive-ops","reason":"Destructive command blocked."}
See Getting Started for the full setup guide.