signet-eval

Deterministic policy enforcement for AI agents. Control what your agent can do — spending limits, destructive command blocking, credential gating — without putting an LLM in the decision path.

5ms
cold start
<1μs
policy eval
44
tests
14
condition functions
cargo install signet-eval

Three Steps

1. Install: cargo install signet-eval

2. Hook into Claude Code:

{
  "hooks": {
    "PreToolUse": [{
      "matcher": "",
      "hooks": [{"type": "command", "command": "signet-eval", "timeout": 2000}]
    }]
  }
}

3. Done. Every tool call now passes through policy evaluation.

Default Policy

ActionDecision
rm, rmdirDENY
git push --forceASK
mkfs, format, dd if=DENY
curl | sh, wget | shDENY
Write to .env, .pem, .keyDENY
chmod 777ASK
Everything elseALLOW

Custom Rules

# ~/.signet/policy.yaml
version: 1
default_action: ALLOW
rules:
  - name: books_limit
    tool_pattern: ".*purchase.*"
    conditions:
      - "param_eq(category, 'books')"
      - "spend_plus_amount_gt('books', amount, 200)"
    action: DENY
    reason: "Books spending limit ($200) exceeded"

  - name: block_sudo
    tool_pattern: ".*"
    conditions: ["param_contains(command, 'sudo')"]
    action: ASK
    reason: "sudo requires confirmation"

Condition Functions

FunctionDescription
contains(parameters, 'X')Tool input contains string
any_of(parameters, 'X', 'Y')Any string present
param_eq(field, 'value')Field equals value
param_ne(field, 'value')Field not equal
param_gt(field, N)Field > number
param_lt(field, N)Field < number
param_contains(field, 'X')Field contains substring
matches(field, 'regex')Field matches regex
has_credential('name')Credential exists in vault
spend_gt('cat', N)Session spend exceeds limit
spend_plus_amount_gt('cat', field, N)Cumulative spend + amount exceeds limit
not(condition)Negate any condition
or(A || B)Either condition true
true / falseLiteral boolean

Features

Encrypted Vault

Argon2 + AES-256-GCM. Three tiers: public ledger, session-encrypted state, compartment-encrypted credentials. Your CC number is stored where the agent can't read it.

Spending Limits

Track cumulative spend per category. "Don't spend more than $200 on books" just works — the vault ledger enforces it across every tool call.

MCP Management

Manage policies by talking to Claude. "Add a $50 limit for amazon orders." 12 MCP tools for rules, credentials, status, and testing.

MCP Proxy

Wrap upstream MCP servers with enforcement. The agent connects to the proxy, not directly to servers. No bypass possible.

Policy Testing

signet-eval test '{"tool_name":"Bash","tool_input":{"command":"rm foo"}}' — test rules without running as a hook.

Adversarial Testing

44 tests including Goodhart tests: unicode homoglyphs, null bytes, 1MB inputs, SQL injection in conditions, 1000-rule performance bounds.

Architecture

Part of the Signet personal sovereign agent stack. The core principle: the authorization layer must not be an LLM. It processes structured data only. No natural language, no context window, no persuasion surface. A rule either matches or it doesn't.

Agent proposes action  ->  signet-eval evaluates policy  ->  allow / deny / ask
                           (deterministic, 5ms, no NLP)

All Commands

CommandPurpose
signet-evalHook evaluation (default, 5ms)
signet-eval initWrite default policy file
signet-eval rulesShow current rules
signet-eval validateCheck policy for errors
signet-eval test '<json>'Test a tool call
signet-eval setupCreate encrypted vault
signet-eval unlockRefresh vault session
signet-eval statusVault status and spending
signet-eval store <n> <v>Store Tier 3 credential
signet-eval logRecent action log
signet-eval serveMCP management server
signet-eval proxyMCP proxy