SigmaShake SSG — VS Code Extension

AI governance for VS Code. Manage rules, review pending approvals, and monitor AI tool usage — right inside your editor.

What is SSG?

SigmaShake SSG is a local AI governance engine. It runs as a background daemon and evaluates every tool call made by your AI coding assistant (Claude Code, Cursor, Gemini CLI, Copilot, etc.) against your .rules files — blocking, logging, or asking for approval in real time.

This extension brings the full SSG experience into VS Code:

• Pending Approvals sidebar — approve or deny AI actions without leaving the editor
• Rules sidebar — browse, toggle, and manage all your governance rules
• Audit Log sidebar — see every AI tool call and its decision, live
• Embedded dashboard — full SSG dashboard in a VS Code panel
• Status bar — daemon health and pending count always visible
• .rules language support — syntax highlighting, snippets, folding

Features

Pending Approvals

When an AI tool call hits an ASK rule, it pauses and waits for your decision. The sidebar shows all pending items with the tool name, input preview, and the rule that triggered. Allow or Deny with one click — or save as a permanent Always Allow / Always Deny autopilot rule.

Rules Management

All your .rules files in one tree, grouped by source file. Each rule shows its decision type (color-coded), target capability, and priority. Toggle rules enabled/disabled directly from the tree.

Audit Log

A live view of the last 50 AI tool evaluations. See which tools were called, what decision was made, which rule matched, and how long evaluation took.

Embedded Dashboard

Open the full SSG dashboard panel inside VS Code (SSG: Open Dashboard or click the status bar). Identical to the SigmaShake Desktop app — all pages, live charts, and hub integration — but embedded as a VS Code panel.

.rules Language Support

.rules files get full language support:

• Syntax highlighting for keywords (DENY, IF, AND), decision verbs, operators, strings
• Auto-closing brackets and quotes
• Code folding per rule block
• Snippets — type rule-deny, rule-allow, rule-log, rule-ask, rule-force + Tab

Requirements

SSG daemon must be running. The extension connects to ssg serve on 127.0.0.1:5599 (configurable). If you don't have SSG installed:

npm install -g @sigmashake/ssg
ssg init
ssg serve

Or download SigmaShake Desktop which manages the daemon automatically.

Setup

1. Install and start the SSG daemon (ssg serve)
2. Install this extension
3. Run SSG: Set Auth Token from the Command Palette and paste your token
   • Find your token in the ssg serve startup output, or in ~/.sigmashake/config.toml
4. The sidebar will populate and the status bar will show the daemon status

Extension Settings

Commands

Reporting bugs

Run SSG: Report a Bug… from the Command Palette. The extension collects:

1. Category (bug, feature request, question, incident)
2. Severity (P1–P4)
3. Subject and description
4. Your contact email (remembered locally for next time)

It POSTs the form to your local SSG daemon at /api/support/feedback, which:

• Attaches a redacted diagnostic bundle (recent evals, daemon version, rule count, OS, never tool inputs)
• Authenticates you against sigmashake-support using the credential ssg auth login already stored at ~/.sigmashake/
• Creates a real support ticket — you'll get a tkt_* ID back and an email confirmation

The "View ticket" button in the success notification opens support.sigmashake.com/support/<id> so you can follow the thread.

If you'd rather skip the dialog, the same daemon endpoint is what the ssg support CLI and the SSG Desktop "Send feedback" form use.

Supported AI Clients

SSG governs tool calls from any client that integrates with it:

• Claude Code (Anthropic) — hooks + MCP server
• Cursor — MCP server
• Gemini CLI (Google) — hooks
• GitHub Copilot — MCP server
• Any MCP-compatible client

Security & data handling

• Auth tokens are stored in VS Code's SecretStorage, backed by your OS keychain (Keychain on macOS, Secret Service on Linux, Credential Vault on Windows). Tokens never appear in settings.json or workspace state.
• All network calls are scoped to your local SSG daemon (127.0.0.1 by default). The extension never reaches out to any third-party service directly — bug reports are forwarded through the daemon's HMAC-signed support proxy.
• WebView CSP locks the embedded dashboard panel to the daemon origin: default-src 'none'; frame-src http://<daemon>; connect-src http://<daemon>; script-src 'nonce-<random>'. No remote scripts or styles are loaded.
• Diagnostic bundles attached to bug reports include daemon version, OS, rule count, recent eval summaries, and the active dashboard route. Tool-call inputs are redacted before forwarding.
• Source-available — the extension's TypeScript source lives in sigmashake-vscode/ of the SigmaShake monorepo. Audit any release by diffing the published .vsix against the tagged source.

To report a security issue privately, see SECURITY.md or email security@sigmashake.com (PGP key on the policy page).

Links

• sigmashake.com — Product homepage
• sigmashake.com/vscode — VS Code extension landing page
• Documentation — Extension docs and reference
• Rules Hub — Community rule collections
• Support — File a ticket; AI auto-triage replies in minutes
• Discord — Community

License

Proprietary — © SigmaShake Inc. All rights reserved. See LICENSE for terms.