signet-eval

Deterministic policy enforcement for AI agent tool calls.
No LLM in the authorization path. No prompt injection surface.

5ms
cold start
<1μs
policy eval
3.7MB
binary

Install

cargo install signet-eval

Hook into Claude Code

Add to ~/.claude/settings.json:

{
  "hooks": {
    "PreToolUse": [{
      "matcher": "",
      "hooks": [{"type": "command", "command": "signet-eval", "timeout": 2000}]
    }]
  }
}

Every tool call now passes through policy evaluation before execution.

Default Policy

ActionDecision
rm, rmdirDENY
git push --forceASK
mkfs, format, dd if=DENY
curl | sh, wget | shDENY
Everything elseALLOW

Custom Rules

# ~/.signet/policy.yaml
version: 1
default_action: ALLOW
rules:
  - name: books_limit
    tool_pattern: ".*purchase.*"
    conditions:
      - "param_eq(category, 'books')"
      - "spend_plus_amount_gt('books', amount, 200)"
    action: DENY
    reason: "Books spending limit ($200) exceeded"

Encrypted Vault

Passphrase-derived key hierarchy (Argon2 + AES-256-GCM). Three-tier data model:

TierEncryptionContents
1NoneAction log, spending ledger
2Session keySession state
3Compartment keyCC numbers, API tokens

Architecture

Tier 1 of the Signet personal sovereign agent stack. The core principle: the authorization layer must not be an LLM. It processes structured data only. A rule either matches or it doesn't.

Agent proposes action → signet-eval evaluates policy → allow/deny/ask
                         (5ms, deterministic, no NLP)