SigmaShake vs. a Raw PreToolUse Hook
Yes — the enforcement mechanism is a Claude Code PreToolUse hook. SigmaShake is honest about this. If you only need one rule on one machine and you're happy to maintain the script yourself, a raw hook is a perfectly valid choice.
Here's what SigmaShake adds on top.
What a raw hook gives you
# .claude/settings.json
{
"hooks": {
"PreToolUse": [{
"matcher": "Bash",
"hooks": [{ "type": "command", "command": "my-guard.sh" }]
}]
}
}
You write my-guard.sh. It runs before every Bash tool call. It can block, pass, or print a message. Done.
This is genuinely useful. For a single project with a few rules, a shell script is sufficient.
What breaks at scale
| Problem | Raw hook | SigmaShake |
|---|---|---|
| Rule authoring | Shell/Python ad hoc | Structured DSL with lint, format, validation |
| Rule sharing across machines | Manual copy-paste | ssg hub pull or fleet sync |
| Trusted rules from the community | You vet everything manually | Ed25519-signed Hub bundles, content-hashed |
| Audit log | Whatever you echo to a file | Merkle-chain tamper-evident log, exportable |
| Fleet policy sync | Ansible/Salt/manual | ssg fleet push — policy propagates to all machines |
| Approval dashboard | None | Browser UI for queued approvals, rule stats, profiling |
| Rule testing | Manual | ssg eval + ssg lint |
| Version control for rules | Git, by convention | Rule versioning in the Hub with semver |
When to use a raw hook
- One developer, one machine, fewer than 5 rules
- You're prototyping a rule idea before contributing it to the Hub
- You have a use case that SigmaShake's DSL doesn't cover yet (please file an issue)
When to use SigmaShake
- Team of two or more sharing a policy baseline
- You need an audit trail you can hand to a compliance reviewer
- You want community rules you can trust without writing from scratch
- You're managing multiple machines or agents and need fleet-wide consistency
Relationship between the two
SigmaShake doesn't fight with raw hooks — it is a hook. When you run ssg init, it registers itself as a PreToolUse and PreWrite hook in your Claude Code settings file. You can inspect exactly what it does with cat ~/.claude/settings.json. Nothing is hidden.