MCP Server
The SigmaShake MCP server exposes governance tools via the Model Context Protocol, enabling AI agents to evaluate tool calls against rules remotely.
Overview
- Transport: SSE (Server-Sent Events) with JSON-RPC 2.0
- Runtime: Cloudflare Worker
- Storage: Cloudflare KV for rules and audit log
- URL:
https://mcp.sigmashake.com/sse
Client configuration
Claude Code
Add to your MCP settings:
{
"mcpServers": {
"sigmashake": {
"url": "https://mcp.sigmashake.com/sse"
}
}
}
With API key
{
"mcpServers": {
"sigmashake": {
"url": "https://mcp.sigmashake.com/sse",
"headers": {
"Authorization": "Bearer YOUR_API_KEY"
}
}
}
}
Available tools
sigmashake_eval
Evaluate a tool call against governance rules.
Input:
{
"tool": "Bash",
"input": {"command": "rm -rf /"},
"rules": "optional raw .rules text"
}
Output:
{
"decision": "block",
"rule_id": "no-destructive-ops",
"reason": "Destructive command blocked."
}
sigmashake_rules_list
List all governance rules with optional filtering.
Input:
{
"filter": "destructive",
"severity": "error"
}
Output:
{
"count": 3,
"rules": [
{
"id": "no-rm-rf",
"priority": 100,
"severity": "error",
"decision": "block",
"target": "execution",
"message": "Destructive command blocked",
"enabled": true
}
]
}
sigmashake_rules_get
Get the full definition of a specific rule.
Input:
{
"rule_id": "no-rm-rf"
}
sigmashake_audit
Query the audit log of recent evaluations.
Input:
{
"decision": "block",
"tool": "Bash",
"limit": 20
}
Output:
{
"count": 5,
"entries": [
{
"id": "abc-123",
"tool": "Bash",
"input": "{\"command\":\"rm -rf /\"}",
"rule_id": "no-rm-rf",
"decision": "block",
"timestamp": 1712180400
}
]
}
sigmashake_status
Get health status and system metrics.
Output:
{
"healthy": true,
"service": "sigmashake-mcp",
"version": "0.1.0",
"rules": 22,
"audit_entries": 150,
"last_eval": 1712180400
}
sigmashake_hub_submit
Publish .rules files from a public GitHub repository to the SigmaShake Rules Hub. No browser required — ideal for AI agents that create and publish governance rules autonomously.
Prerequisites: GitHub personal access token with public_repo scope. Generate one at github.com/settings/tokens.
Input:
{
"repo_url": "https://github.com/alice/rules-typescript",
"path": ".sigmashake/rules",
"github_token": "ghp_xxxxxxxxxxxxxxxxxxxx"
}
repo_url— GitHub repository URL (required, must be public)path— path to.rulesfiles within the repo (optional, default:.sigmashake/rules)github_token— GitHub PAT withpublic_reposcope (required)
Output (success):
{
"ok": true,
"ruleset_id": "a1b2c3d4-e5f6-...",
"hub_url": "https://hub.sigmashake.com/ruleset/a1b2c3d4-e5f6-...",
"rule_count": 13,
"technologies": ["ts"]
}
Idempotent — re-submitting the same repo updates the existing ruleset (same ruleset_id).
AI agent workflow example:
1. Create .rules files in .sigmashake/rules/
2. Push repo to GitHub (via Bash or ssg publish --no-browser)
3. Call sigmashake_hub_submit with repo_url + github_token
4. Rules are live at hub_url immediately
Endpoints
| Method | Path | Purpose |
|---|---|---|
| GET | /sse | SSE connection (returns message endpoint URL) |
| POST | /message | JSON-RPC 2.0 message handler |
| GET | /health | Health check |
Self-hosting
The MCP server is a Cloudflare Worker. To deploy your own:
cd sigmashake-mcp
npm install
# Create KV namespace
wrangler kv namespace create RULES
# Update wrangler.toml with namespace ID
# Deploy
npm run deploy
Seeding rules
Push rules to KV as a JSON array under the ruleset key:
wrangler kv key put --namespace-id YOUR_KV_ID ruleset '[{"id":"example","priority":50,"severity":"warning","decision":"log","target":"any","message":"Example rule","enabled":true,"conditions":[]}]'