Deterministic policy enforcement for AI agent tool calls.
No LLM in the authorization path. No prompt injection surface.
cargo install signet-eval
Add to ~/.claude/settings.json:
{
"hooks": {
"PreToolUse": [{
"matcher": "",
"hooks": [{"type": "command", "command": "signet-eval", "timeout": 2000}]
}]
}
}
Every tool call now passes through policy evaluation before execution.
| Action | Decision |
|---|---|
rm, rmdir | DENY |
git push --force | ASK |
mkfs, format, dd if= | DENY |
curl | sh, wget | sh | DENY |
| Everything else | ALLOW |
# ~/.signet/policy.yaml
version: 1
default_action: ALLOW
rules:
- name: books_limit
tool_pattern: ".*purchase.*"
conditions:
- "param_eq(category, 'books')"
- "spend_plus_amount_gt('books', amount, 200)"
action: DENY
reason: "Books spending limit ($200) exceeded"
Passphrase-derived key hierarchy (Argon2 + AES-256-GCM). Three-tier data model:
| Tier | Encryption | Contents |
|---|---|---|
| 1 | None | Action log, spending ledger |
| 2 | Session key | Session state |
| 3 | Compartment key | CC numbers, API tokens |
Tier 1 of the Signet personal sovereign agent stack. The core principle: the authorization layer must not be an LLM. It processes structured data only. A rule either matches or it doesn't.
Agent proposes action → signet-eval evaluates policy → allow/deny/ask
(5ms, deterministic, no NLP)