Skip to main content

SigmaShake SSG for VS Code

The SigmaShake SSG extension brings the full governance dashboard into Visual Studio Code as a side panel, sidebar, and status-bar item. It connects to your local ssg serve daemon and shows pending approvals, rule state, and a live audit log without leaving the editor.

Install

Three ways:

  1. Quick install — click Install in VS Code. VS Code opens the Marketplace tile.
  2. Inside VS Code — open Extensions (Ctrl+Shift+X / Cmd+Shift+X), search SigmaShake SSG, click Install.
  3. CLI: 
    code --install-extension sigmashake.sigmashake-ssg
    # Cursor / Codium:
    cursor --install-extension sigmashake.sigmashake-ssg

You also need the SSG daemon running locally:

pnpm add -g @sigmashake/ssg
ssg init
ssg serve   # binds 127.0.0.1:5599 by default

Or install SigmaShake Desktop, which manages the daemon for you.

First-run setup

  1. Open the SigmaShake SSG activity bar icon (the shield, on the left rail).
  2. Run SSG: Set Auth Token from the Command Palette (Ctrl+Shift+P / Cmd+Shift+P).
  3. Paste your token. Find it in the ssg serve startup output, or in ~/.sigmashake/config.toml under dashboard.token.
  4. The Pending / Rules / Audit sidebars populate immediately. The status-bar item turns green when the daemon is reachable.

Tokens are stored in VS Code's SecretStorage, backed by your OS keychain. They never appear in settings.json.

The three sidebars

Pending Approvals

When an AI tool call hits an ASK rule, it pauses and waits for your decision. The sidebar shows each pending item with the tool name, an input preview, and the rule that triggered.

  • Allow — green check, approves once
  • Deny — red x, denies once
  • Always Allow — saves a permanent ALLOW autopilot rule for this exact tool + input shape
  • Always Deny — saves a permanent DENY autopilot rule

The status-bar item shows the live pending count and turns yellow when items need attention.

Rules

All .rules files in your project, grouped by source file. Each rule row shows:

  • DecisionDENY (red), ALLOW (green), LOG (gray), ASK (yellow), FORCE (purple)
  • Target capabilityexecute, read, write, search, agent, network
  • Priority — higher = matched first
  • Enabled toggle — click the icon to flip without editing the file

Audit Log

A live view of the last 50 AI tool evaluations, refreshed via Server-Sent Events from the daemon's /api/events stream. Each row shows the tool, the matched rule, the decision, evaluation latency, and the AI client (claude-code, cursor, gemini, etc.).

Embedded dashboard panel

Run SSG: Open Dashboard to open the full SSG dashboard as a VS Code panel — identical to what SigmaShake Desktop renders, identical to http://127.0.0.1:5599 in your browser. You get the rules editor, charts, hub integration, and history pages without context-switching.

The panel honors your ssg.daemonHost and ssg.daemonPort settings, so it works against a remote daemon as well as the default local one.

The toolbar above the iframe exposes:

  • Report a bug — opens the multi-step ticket form
  • Docs — opens this page
  • Open in browser — convenience link to the daemon's web URL
  • Reload — re-fetches the dashboard SPA

.rules language support

The extension registers .rules as a first-class language:

  • Syntax highlightingDENY, ALLOW, ASK, LOG, IF, AND, decision verbs, operators, strings
  • Bracket matching + auto-close(, [, {, ", ', `
  • Code folding — per rule block
  • Snippets — type any of the following + Tab:
    • rule-deny — DENY with input matcher
    • rule-allow — ALLOW with target capability
    • rule-log — LOG-only audit rule
    • rule-ask — ASK rule (pauses for human approval)
    • rule-force — FORCE rule (mutates input)

For the full DSL reference, see Rule Syntax.

Settings

Open Settings (Ctrl+,) and search ssg to configure:

SettingDefaultDescription
ssg.daemonHost127.0.0.1Host the SSG daemon is bound to. Change this to point at a remote daemon (e.g. SSH-forwarded).
ssg.daemonPort5599Port ssg serve is listening on.
ssg.pollInterval5000Sidebar refresh interval (ms). SSE handles real-time updates; this is the fallback poll.
ssg.autoStartfalseIf true, show a one-time warning when the daemon isn't reachable on startup.

Commands

All commands are under the SSG category in the Command Palette.

CommandDescription
SSG: Open DashboardOpen the embedded SSG panel
SSG: Open Dashboard in BrowserOpen the daemon's web dashboard in your default browser
SSG: Set Auth TokenSave or replace your dashboard auth token
SSG: Show Daemon StatusNotification with version, uptime, eval/blocked/pending counts
SSG: New Rule…Open the daemon's rule editor in your browser
SSG: Report a Bug…Submit a support ticket from inside VS Code (see below)
SSG: Send Feedback…Submit feedback with category picker (bug / feature request / question / incident)
SSG: Open DocumentationOpen docs.sigmashake.com
SSG: Open Support PortalOpen support.sigmashake.com
SSG: Refresh RulesForce-refresh the Rules sidebar
SSG: Refresh PendingForce-refresh the Pending sidebar
SSG: Refresh AuditForce-refresh the Audit Log sidebar

Reporting bugs from inside VS Code

SSG: Report a Bug… walks you through a 4-step quick-input:

  1. Severity — P1 (critical) through P4 (low)
  2. Subject — 1–200 chars
  3. Description — 10–10000 chars
  4. Contact email — remembered for next time

The extension POSTs the form to your local daemon at /api/support/feedback. The daemon:

  1. Validates the input
  2. Attaches a redacted diagnostic bundle (daemon version, OS, rule count, recent eval summaries — tool inputs are redacted before forwarding)
  3. HMAC-signs the request and forwards it to sigmashake-support
  4. Returns a tkt_* ticket ID

You'll see a notification with a View ticket button that opens support.sigmashake.com/support/<id>. AI auto-triage usually picks up your ticket within ~5–20 seconds, classifies it, and either replies with a first-pass answer or hands it to on-call staff.

If the daemon isn't reachable, the error dialog offers an Open Support Portal button that takes you to support.sigmashake.com for manual filing.

Why not file directly? Each customer authenticates against support via the local daemon. No shared secret ships with the extension binary — the extension can only file tickets as you, using credentials ssg auth login already saved in ~/.sigmashake/.

Remote / SSH / Codespaces

The extension declares extensionKind: ["ui", "workspace"], so VS Code installs it on the side that can reach the daemon:

ScenarioWhere the extension runs
LocalLocal UI
SSH workspace, daemon on remoteRemote workspace
SSH workspace, daemon on laptopLocal UI (forward 5599 over SSH first)
Codespaces, daemon in codespaceCodespace
Codespaces, daemon on laptopLocal UI (forward 5599 from laptop)

When pointing at a remote daemon, set ssg.daemonHost and ssg.daemonPort to match the reachable address. The dashboard panel will load that origin.

Compatibility

The extension is published to both:

  • Visual Studio Marketplace — VS Code, VS Code Insiders
  • Open VSX — Cursor, VSCodium, Gitpod, Theia-based editors

The same .vsix works in all of them. Required VS Code engine: ^1.85.0.

Troubleshooting

SymptomFix
Sidebars say "(empty)"Daemon isn't reachable. Run ssg serve and check ssg.daemonPort matches its bind port.
Status bar shows "auth required"Run SSG: Set Auth Token and paste your dashboard token.
Embedded dashboard panel is blankClick Reload in the panel toolbar. If still blank, click Open in browser to confirm the daemon itself is up.
Report a Bug… says "Sign in first"Run ssg auth login in a terminal — the daemon needs your support credential to file tickets on your behalf.
.rules files aren't highlightedMake sure the file extension is .rules exactly. The grammar key is source.rules.

For anything not covered above, SSG: Report a Bug… is the fastest path to a real human.

Source

The extension lives in sigmashake-vscode/ inside the SigmaShake monorepo. The published .vsix is built from the tagged release commit — audit any release by diffing the package contents against the corresponding tag.

To report a security issue privately, see the Security Policy.