Claude Code Integration
SigmaShake integrates natively with Claude Code via the PreToolUse hook system.
Quick setup
ssg init --client claude-code
This creates:
.sigmashake/rules/— Governance rules directory with starter ruleset.claude/hooks/ssg-check.sh— PreToolUse hook script.claude/settings.json— Hook configuration
How it works
Every time Claude Code calls a tool (Bash, Read, Write, Edit, Agent, etc.), the PreToolUse hook:
- Receives the tool call as JSON:
{"tool": "Bash", "input": {"command": "..."}} - Pipes it to
ssg eval - Returns the decision to Claude Code:
allow→ Tool executes normallyblock→ Tool call rejected with reason shown to Claudeask→ Pauses for human approval in the dashboardforce→ Rejected with substitute suggestion
Hook script
The hook at .claude/hooks/ssg-check.sh:
#!/bin/bash
# SigmaShake PreToolUse hook for Claude Code
set -euo pipefail
# Circuit breaker: auto-allow after 5 consecutive denies
DENY_FILE="/tmp/ssg-deny-count"
# ... circuit breaker logic ...
echo "$1" | ssg eval
Circuit breaker
After 5 consecutive deny decisions, the hook auto-allows to prevent complete agent lockout. This prevents scenarios where a misconfigured rule blocks all tool calls.
Reset: rm /tmp/ssg-deny-count
Tool capability mapping
SigmaShake maps Claude Code tools to capability categories:
| Claude Code Tool | Capability |
|---|---|
| Bash | execute |
| Read | read |
| Write, Edit, MultiEdit | write |
| Glob, Grep | search |
| Agent | agent |
| WebFetch, WebSearch | network |
Rules target capabilities, not individual tools:
DENY execution → blocks Bash
DENY write → blocks Write, Edit, MultiEdit
DENY any → blocks everything
Dashboard integration
When a rule uses the ASK decision, Claude Code pauses and waits for approval:
- Terminal bell rings
- Dashboard shows the pending approval at
http://localhost:5599 - User reviews and approves/denies
- Claude Code resumes with the decision
Start the dashboard before using ASK rules:
ssg serve
Agent monitoring
Monitor Claude Code's Agent tool (sub-agent spawning):
rule log-explore-agents {
LOG agent
IF input.subagent_type EQUALS "Explore"
MESSAGE "Explore agent activity logged."
}
rule block-background-agents {
DENY agent
IF input.run_in_background EQUALS "true"
MESSAGE "Background agents not allowed."
}
The dashboard audit table shows agent subagent_type as inline badges.
Troubleshooting
Hook not running
Check that the hook is registered:
cat .claude/settings.json
Should contain:
{
"hooks": {
"PreToolUse": [
{
"type": "command",
"command": ".claude/hooks/ssg-check.sh"
}
]
}
}
All tools being blocked
Check for overly broad rules:
ssg list
Reset circuit breaker:
rm /tmp/ssg-deny-count
Dashboard not showing approvals
Ensure dashboard is running:
ssg status
ssg serve