What It Does — A Policy Engine for Claude Code
Signet-eval is a deterministic policy enforcement tool built specifically for AI agents like Claude Code. It sits between Claude's decision-making and tool execution, evaluating every tool call against a YAML-based rule set before it runs. The core principle is simple but powerful: the authorization layer must not be an LLM. It processes only structured data—no natural language, no context window, no persuasion surface. A rule either matches or it doesn't.
This means you can define rules like "don't spend more than $200 on books" or "always ask for confirmation before running commands on production," and Claude Code will respect them deterministically, every time. Evaluation happens in ~60ms cold start and <1ms thereafter.
Setup — How to Install and Configure with Claude Code
Installation is straightforward if you have Rust's Cargo:
cargo install signet-eval
Then, hook it into Claude Code by adding a PreToolUse hook to your Claude Code configuration (typically in ~/.config/claude-code/config.json or your project's .claude/config.json):
{
"hooks": {
"PreToolUse": [{
"matcher": "",
"hooks": [{
"type": "command",
"command": "signet-eval",
"timeout": 2000
}]
}]
}
}
That's it. Every tool call Claude Code makes will now pass through signet-eval for policy evaluation before execution.
When To Use It — Specific Use Cases Where It Shines
1. Enforcing Spending Limits
Define categories and caps in your policy file (~/.signet/policy.yaml):
rules:
- name: books_limit
tool_pattern: ".*purchase.*"
conditions:
- "param_eq(category, 'books')"
- "spend_plus_amount_gt('books', amount, 200)"
action: DENY
reason: "Books spending limit ($200) exceeded"
This tracks cumulative spend per category across sessions. Reset with signet-eval reset-session.
2. Blocking Destructive Commands
Protect production environments by requiring confirmation:
rules:
- name: protect_prod
tool_pattern: ".*"
conditions: ["contains(parameters, 'production')"]
action: ASK
locked: true
reason: "Production access requires confirmation"
The ASK action pauses execution and prompts the user for confirmation.
3. Credential Gating with Constraints
Store credentials with domain, purpose, amount caps, and one-time constraints. The signet_use_credential function enforces all constraints before releasing credentials. One-time tokens auto-invalidate after use.
4. Wrapping Upstream MCP Servers
Signet-eval can proxy MCP servers, applying policy enforcement on every call. Configure Claude Code to connect to the signet-eval proxy instead of directly to servers, and policies hot-reload on every evaluation.
The Security Model — Why It's Trustworthy
Signet-eval includes several security features that make it suitable for serious use:
Locked Rules: Mark rules as
locked: truein YAML. These rules cannot be removed or edited via MCP tools—even through the MCP management server. Unlocked rules can't be reordered above locked ones. Self-protection rules ship locked by default.HMAC-Signed Policies: Your policy file is HMAC-signed. The hook verifies integrity on every evaluation. If someone tampers with the file, signet-eval falls back to hardcoded safe defaults automatically. MCP mutations auto-sign.
Encryption Tiers: Uses Argon2id + AES-256-GCM with three tiers: public ledger, session-encrypted state, and compartment-encrypted credentials. Session keys are encrypted with device-specific keys. Brute-force lockout activates after 5 failed attempts.
No Prompt Injection Surface: Because there's no natural language processing in the policy engine, there's nothing to inject into. Rules evaluate tool calls using regex and simple conditions only.
Managing Policies Through Claude
You don't need to edit YAML manually. Signet-eval provides 17 MCP tools for policy management, so you can talk to Claude Code to modify rules: "Add a $50 limit for Amazon orders" or "Block all rm -rf commands." The MCP tools handle rules, credentials, testing, validation, reordering, signing, and credential use—all through natural language while maintaining security boundaries.
The Bottom Line
Signet-eval is a seatbelt, not a cage. It enforces policy within Claude Code's cooperative protocol—Claude calls signet-eval before every tool use and respects the response. This gives you deterministic control over spending, destructive commands, and credential access without sacrificing Claude Code's autonomy for safe tasks.
As AI agents become more capable, tools like signet-eval that provide reliable guardrails will become essential infrastructure. For developers using Claude Code daily, it's worth installing today for any task involving money, production systems, or sensitive credentials.
