Skip to main content

CLI Reference

The ssg binary is the primary interface for SigmaShake governance.

Commands

ssg eval

Evaluate a tool call from stdin JSON.

echo '{"tool":"Bash","input":{"command":"rm -rf /"}}' | ssg eval

Input format:

{
  "tool": "Bash",
  "input": {
    "command": "rm -rf /"
  }
}

Output format (stdout, JSON only):

{
  "decision": "block",
  "rule_id": "no-destructive-ops",
  "reason": "Destructive command blocked.",
  "duration_ms": 1
}

Flags:

  • --rules <dir> — Use rules from a specific directory (default: .sigmashake/rules)
  • --explain — Include matched condition details in output

ssg serve

Start the governance dashboard.

ssg serve
ssg serve --port 8080

Default port: 5599. Dashboard features:

  • Real-time audit log with SSE updates
  • Pending approval queue for ASK decisions
  • Rule viewer and editor
  • Performance metrics and profiling

ssg check

Scan files for rule violations.

ssg check .
ssg check src/

ssg lint

Validate .rules file syntax.

ssg lint

Checks for:

  • Parse errors (malformed rules)
  • Unknown fields or operators
  • Invalid regex patterns
  • Missing required fields (PROMPT for ASK, SUBSTITUTE for FORCE)

ssg init

Initialize SigmaShake in a project.

ssg init
ssg init --client claude-code

Creates .sigmashake/rules/ with a starter ruleset. With --client claude-code, also installs the PreToolUse hook.

ssg status

Check system health.

ssg status

Output:

{
  "healthy": true,
  "rules": 22,
  "pending": 0,
  "dashboard": "running"
}

ssg list

Show all loaded rules.

ssg list
ssg list --json

ssg sync

Pull rules from edge API to local SQLite.

ssg sync

ssg push

Push local .rules files to edge API.

ssg push

ssg test-rule

Test a specific rule against a tool call.

echo '{"tool":"Bash","input":{"command":"rm -rf /"}}' | ssg test-rule --rule no-destructive-ops --explain

ssg metrics

Show session metrics.

ssg metrics

ssg blocked

Show recently blocked commands.

ssg blocked
ssg blocked --since 1h

ssg dedupe

Detect duplicate or overlapping rules.

ssg dedupe

ssg flight

View flight recorder telemetry.

ssg flight

ssg profile

Profile evaluation latency.

ssg profile

ssg publish

Publish local .rules files to GitHub and submit to the SigmaShake Rules Hub.

ssg publish

Prerequisites:

  • GitHub CLI (gh) installed and authenticated (gh auth login)
  • .rules files in .sigmashake/rules/ (create with ssg init)

Flags:

FlagDescriptionDefault
--repo=<name>GitHub repo namerules-<cwd>
--desc=<text>Repository descriptionAuto-generated
--path=<dir>Rules directory to push.sigmashake/rules
--no-browserPrint hub URL, don't open browserfalse

What it does:

  1. Checks gh auth — exits with instructions if not logged in
  2. Creates github.com/<you>/<repo> (public, idempotent — skips if exists)
  3. Copies .rules files into the repo and pushes to main
  4. Opens hub.sigmashake.com/submit pre-filled with the repo URL

Example:

ssg publish --repo=my-typescript-rules --desc="TypeScript safety rules"
# → Creates github.com/alice/my-typescript-rules
# → Pushes 3 .rules files
# → Opens hub.sigmashake.com/submit in browser

After the browser opens, sign in with GitHub and click Submit to complete.

See Publishing Guide for the full flow including MCP and REST API paths.

ssg hub pull

Install a ruleset from hub.sigmashake.com by UUID with integrity verification.

ssg hub pull <ruleset-id>

Example:

ssg hub pull 550e8400-e29b-41d4-a716-446655440000
# Fetching ruleset 550e8400...
#   TypeScript v3 by @sigmashakeinc — 12 rules
# Verifying integrity... OK (sha256:4a9f3c1b8e2d7f05...)
#
# Installed: TypeScript v3
#   Integrity: sha256:4a9f3c1b8e2d7f05... VERIFIED
#   Technologies: ts
#   Files written:
#     .sigmashake/rules/ts.rules

Flags:

FlagDescriptionDefault
--path=<dir>Directory to write .rules files.sigmashake/rules

What it does:

  1. Fetches ruleset metadata and all rule bodies from hub.sigmashake.com/api/rulesets/<id>
  2. Recomputes the SHA-256 content hash from the downloaded rule bodies
  3. Compares the computed hash to the hub-stored content_hash — aborts if they differ
  4. Writes one .rules file per technology to the rules directory
  5. Registers the download on the hub (best-effort, non-fatal)

Getting the ruleset ID: Find it in the URL when viewing a ruleset on the hub: hub.sigmashake.com/ruleset/<id>.

After installing:

ssg sync          # load new rules into the engine
ssg list          # verify rules are loaded

See Security & Trust for details on the integrity verification model.