AI Agent Guardrails. Sub-2ms governance for every AI agent. Local-first.
Install · Quick start · Demos · Docs · Discord
SSG is SigmaShake's AI agent governance CLI. It evaluates every tool call your AI agent is about to make against a set of local rules — blocking dangerous operations, asking for approval on risky ones, and recording everything to a queryable audit log. It runs locally in sub-2 milliseconds and works with every major AI client: Claude Code, Cursor, GitHub Copilot, Codex, Gemini, Antigravity, and Pi.
A local dashboard at http://localhost:5599 shows pending approvals, blocked commands, and a live audit stream.
Pull curated rulesets from hub.sigmashake.com — covering bash, secrets, SQL, Docker, Kubernetes, Python, React, Terraform, and more.
🎥 Watch the full dashboard tour (WebM, 208 KB) · or read the dashboard docs.
- 🏠 Local-first evaluation — no outbound AI calls for governance
- ⚡ Sub-2ms rule eval — faster than the network call it gates
- 🧩 Works everywhere — Claude Code, Cursor, Copilot, Codex, Gemini, Antigravity, Pi
- 🔍 Queryable audit trail — every decision stored locally; searchable from the CLI
- 🌐 Hub rulesets — 20+ curated packs authored by the community
- 🏢 Fleet-ready — SSO, org policies, and SIEM forwarding for enterprise deployments
npm install -g @sigmashake/ssg
ssg --help| Channel | Install |
|---|---|
| npm | npm install -g @sigmashake/ssg |
| PyPI | pip install sigmashake |
| Homebrew | brew install sigmashakeinc/tap/ssg |
| winget | winget install SigmaShake.SSG |
| Docker (OS-agnostic) | docker run --rm -i ghcr.io/sigmashakeinc/ssg:latest eval < call.json |
The Docker image at ghcr.io/sigmashakeinc/ssg is also the install path for musl distros (Alpine, Chimera) and hosts running glibc < 2.24. See the Docker guide for usage.
ssg init # install adapters + local config for every supported AI client
ssg setup # guided ruleset selection
ssg serve # start the local approval dashboard at localhost:5599Evaluate a single tool call from the shell:
echo '{"tool":"Bash","input":{"command":"rm -rf /"}}' | ssg evalWire SSG into just one client:
ssg init --client=claude-code # or: cursor | copilot | codex | gemini | antigravity | piFull reference and guides at docs.sigmashake.com.
| Get started | Integrate |
|---|---|
| 🚀 Getting started | 🔌 MCP server |
| ⚡ Intro | 🤖 Claude Code |
| 📺 Dashboard | 🧩 Every adapter |
| Author rules | Operate |
|---|---|
| 📝 Rule syntax | 💻 CLI reference |
| 🌍 Hub guide | 🏗️ Architecture |
| 📦 Publishing rulesets | 🏢 Enterprise fleet |
ssg init configures, out of the box:
| Command | What it does |
|---|---|
ssg init |
Install agent adapters and local configuration |
ssg setup |
Walk through recommended setup and ruleset selection |
ssg serve |
Start the local approval dashboard |
ssg eval |
Evaluate a tool call from stdin (JSON) |
ssg audit search |
Query local audit history for agents, tools, and actions |
ssg rule ... |
List, search, enable, disable, and edit rules |
ssg hub ... |
Search, install, update, and audit Hub rulesets |
ssg doctor |
Run a health diagnostic for the local installation |
ssg mcp-server |
Start the local MCP server for agent integrations |
Local rule evaluation, local dashboard usage, and local audit inspection work without signing in. ssg auth login unlocks account-backed features: Hub publishing, organization workflows, support, and private ruleset access.
- 💬 Discord — discord.gg/ghWA8Xhs4T
- 🐛 Report an issue — github.com/sigmashakeinc/ssg/issues
- 🏢 Enterprise & support — support@sigmashake.com
- 🌐 Hub — hub.sigmashake.com
- 🔐 Accounts — accounts.sigmashake.com
Proprietary. The SSG binary is free to use for local governance, auditing, and dashboard workflows. Source code is not distributed — this repository publishes release artifacts only. See LICENSE for the full terms.
© Sigma Shake. All rights reserved. · sigmashake.com · Terms · Privacy