Signato integrations
The chamber between your AI and the world.
Signato is a deterministic confidentiality chamber that runs 100% on your own machine. You declare
who must NOT know what (people with detection aliases, subjects with trigger keywords, an
enforcement mode per wall), and every outbound event is checked, person against subject, in the
same text. A hard wall denies the send before it happens; a soft wall lets it pass with a
warning. Nothing is uploaded, ever: there is no server in the picture.
This repository is the public integration surface: how to wire the chamber into Claude Code today,
the adapter contract for wiring it into other hosts, and synthetic configuration examples you can
copy. The Signato software itself is proprietary and is not in this repository: install it
with pip install signato (PyPI, proprietary license, the
same full 30-day local trial, no card), or as a direct download with a published SHA-256 at
signato.ai/trial.
Why a deterministic external layer
AI agents draft and act at scale. Prompt instructions do not reliably hold confidentiality: in the
ConfAIde benchmark (ICLR 2024), even the best-performing frontier model leaked contextually private
information in 39% of measured scenarios, and others did worse. The defense has to live outside the
model: deterministic, testable, and checked on every outbound event that passes through it. That is
what the chamber is.
See it block, before installing anything
An in-browser simulation of the same rule, with a synthetic matrix, runs at
signato.ai/demo. Nothing you type there leaves the tab.
Quickstart: Claude Code hook (turnkey today)
The package ships an adapter for Claude Code's PreToolUse hook contract. This repository is
also a Claude Code plugin marketplace, so the fastest path is two commands inside Claude Code
(after pip install signato, Python 3.10+):
/plugin marketplace add Signato-ai/signato-integrations
/plugin install signato-guard@signato
The plugin registers the hook and looks for your matrix at ~/.signato/matrix.yaml
(override with JOHARI_GUARD_CONFIG); details in
plugins/signato-guard/README.md.
Prefer to wire it by hand? Point the hook at your matrix in .claude/settings.json:
{
"hooks": {
"PreToolUse": [
{
"matcher": "*",
"hooks": [
{
"type": "command",
"command": "JOHARI_GUARD_CONFIG=/absolute/path/matrix.yaml JOHARI_GUARD_TELEMETRY=/absolute/path/telemetry.jsonl python3 -m johari_guard.adapters.claude_code"
}
]
}
]
}
}
From that point, every agent action passes through the chamber before it executes. The contract,
verified against version 0.13.2:
| Verdict | Hook behavior |
|---|
| HARD (forbidden pair) | exit 2, permissionDecision: "deny" with the reason; the action is blocked |
| SOFT (warned pair) | exit 0, permissionDecision: "allow" plus additionalContext with the warning; the agent sees it and can rephrase |
| Clean | exit 0, no output; zero friction |
A real deny, from a live run against the synthetic example matrix:
BLOCK johari-guard [advisor-a-succession-only]: 'abel' is walled off company-sale(purchase offer)
Step-by-step setup, including the failure posture you should choose per channel, is in
docs/claude-code-hook.md.
Building your matrix
Start from examples/matrix.example.yaml (100% synthetic), or let
the package interview you: signato init in the terminal, or signato studio for the same
five screens in your browser, served from 127.0.0.1, your machine. Every generated matrix ships
with derived test scenarios (examples/scenarios.example.yaml)
so the wall is executable, not aspirational: signato test runs them, signato simulate replays
history before you change a wall, signato attest keeps an append-only record for audit.
MCP server (any MCP client)
Since 0.13.0 the chamber speaks MCP. Install the optional extra and run the server over stdio:
pip install "signato[mcp]"
signato mcp
Three tools, a thin protocol shell over the same engine the hook uses: check_confidentiality
(verdict for a text before it leaves), lint_matrix (authoring errors in your matrix), and
run_matrix_tests (your own scenarios). Point any MCP client at it:
{"mcpServers": {"signato": {"command": "signato", "args": ["mcp"],
"env": {"JOHARI_GUARD_CONFIG": "/absolute/path/to/matrix.yaml"}}}}
No matrix yet? The server answers NOT CHECKED and points you to signato quickstart, which
builds a first working matrix in minutes and shows you a real block before asking anything
else. Everything stays local; the server sends nothing anywhere.
Wiring a different host
The adapter spine is deliberately thin: a channel adapter implements only extract(message) and
apply(verdict); the orchestration (extract, check, apply, with a declared fail-open or
fail-closed posture) is fixed and lives outside the adapter. The contract is documented in
docs/adapter-contract.md. Email gateways and document pipelines are
implementation work we do with customers on assisted plans, or a custom adapter on the same
contract; if you build one, we want to hear about it, open an issue.
Security posture, verifiable
- Local-first is structural, not a setting. The core makes no network call, at install, at
check time, or ever. Test it yourself: install, disconnect from the internet, and every command
keeps working. The only network access in the whole journey is
pip fetching one open-source
dependency (PyYAML) at install time.
- Checksum. The trial download is published with its SHA-256 on
signato.ai/trial; verify before installing.
- Fail posture is yours to declare. Fail-closed on external sends, fail-open for gradual
rollout, per channel. On the standalone verification commands (
check, scan, test,
report, attest, simulate), an expired license refuses service rather than failing open.
The Claude Code hook deliberately does not gate on license state: a wall that guards your
agent's workflow should not stop standing because a card expired.
- The package carries 830 automated tests (version 0.13.2).
Vulnerability reports: see SECURITY.md.
Pricing and licensing
The 30-day local trial is the full product, no card. Paid plans are per operation, not per seat:
signato.ai/pricing. Documentation and examples in this repository
are MIT-licensed (LICENSE.md); the Signato software is proprietary.
Signato is the maker of the local confidentiality chamber and a publisher of practical
AI-governance intelligence. It is not a law firm and never a substitute for advice from a
qualified lawyer. Belo Horizonte, Brazil. hello@signato.ai