@wardrail/plugin 0.1.3 → 0.1.5

package/README.md

@@ -1,52 +1,65 @@
-# @wardrail/plugin
-
-The **Wardrail Claude Code plugin**. One install gives your coding agent two things:
-
-1. **The Wardrail contract, while it codes** — the four [`@wardrail/mcp`](https://www.npmjs.com/package/@wardrail/mcp)
-   tools (`get_contract`, `check_path`, `get_findings`, `review_diff`), so the agent stays
-   on the rails *before* a violation lands.
-2. **A context-saving workflow** — `/task` and `/checkpoint` slash commands, a SessionStart
-   resume listing, and a machine **verifier** so a checkpoint *can't lie*: it reconciles a
-   task file's claims against `git`, a real test run, and a diff scan before it's allowed to
-   be marked done.
-
-This is the same anti-drift, verify-don't-trust thesis Wardrail applies to your *code*,
-turned on the agent's own working memory.
-
-## Install
-
-```bash
-# add the marketplace (served by Wardrail), then install the plugin
-claude plugin marketplace add https://wardrail.ghostables.io/marketplace.json
-claude plugin install wardrail@wardrail
-```
-
-At enable time you'll be asked for:
-
-| Value | Required | What it is |
-|---|---|---|
-| `WARDRAIL_URL` | no | Your Wardrail server. Defaults to `https://wardrail.ghostables.io`. |
-| `WARDRAIL_INGEST_TOKEN` | **yes** | Project-scoped token from Wardrail → **Trust → Attest from CI**. Scopes reads to one project; never grants account access. |
-| `ANTHROPIC_API_KEY` | no | Only for `wardrail_review_diff`. Stays on your machine; Wardrail never sees it. |
-
-These feed the bundled MCP server's environment via `${user_config.*}`. The `@wardrail/mcp`
-server is fetched on demand by `npx`.
-
-## What's in the box
-
-```
-.claude-plugin/plugin.json   manifest + userConfig prompts
-skills/task/SKILL.md         /task new|resume <slug>
-skills/checkpoint/SKILL.md   /checkpoint  (runs the verifier)
-hooks/hooks.json             SessionStart -> resume listing
-hooks/tasks-session-start.mjs
-hooks/verify-checkpoint.mjs  the machine verifier
-.mcp.json                    the Wardrail MCP server (npx -y @wardrail/mcp)
-```
-
-## The workflow
-
-`/checkpoint` → `/clear` → `/task resume <slug>`. Task files live per-project in
-`./tasks/<slug>.md` and carry a small, honest snapshot so a fresh session rehydrates from
-~3k tokens instead of a 150k transcript. `/checkpoint` stamps a tamper-evident
-`## Verification` block; `status: done` over a failed check is downgraded to FAIL.
+# @wardrail/plugin
+
+[![npm version](https://img.shields.io/npm/v/@wardrail/plugin)](https://www.npmjs.com/package/@wardrail/plugin)
+[![license](https://img.shields.io/npm/l/@wardrail/plugin)](./LICENSE)
+[![node](https://img.shields.io/node/v/@wardrail/plugin)](https://nodejs.org)
+
+The **Wardrail plugin for Claude Code**. One install gives your coding agent two things:
+
+1. **Your contract & codebase, while it codes** — the full [`@wardrail/mcp`](https://www.npmjs.com/package/@wardrail/mcp)
+   toolset: consult your project's guardrails before editing, pull the latest security findings, get
+   an independent verdict on a diff, and **query the code graph** (who calls what, blast radius)
+   instead of reading files. The agent stays on the rails *before* a violation lands.
+2. **A context-saving workflow** — `/task` and `/checkpoint` slash commands, a SessionStart resume
+   listing, and a machine **verifier** so a checkpoint *can't lie*: it reconciles a task file's
+   claims against `git`, a real test run, and a diff scan before it can be marked done.
+
+The same anti-drift, verify-don't-trust thesis Wardrail applies to your *code*, turned on the
+agent's own working memory. Zero-knowledge: your key and code stay on your machine.
+
+## Install
+
+```bash
+claude plugin marketplace add https://wardrail.ghostables.io/marketplace.json
+claude plugin install wardrail@wardrail
+```
+
+At enable time you'll be asked for:
+
+| Value | Required | What it is |
+|---|---|---|
+| `WARDRAIL_INGEST_TOKEN` | **yes** | Project-scoped token from Wardrail → **Trust → Attest from CI**. Scopes reads to one project; never grants account access. |
+| `WARDRAIL_URL` | no | Your Wardrail server. Defaults to `https://wardrail.ghostables.io`. |
+| `ANTHROPIC_API_KEY` | no | Only for the diff-review tool. Stays on your machine; Wardrail never sees it. |
+
+These feed the bundled MCP server via `${user_config.*}`; `@wardrail/mcp` is fetched on demand by `npx`.
+
+## The context-saving workflow
+
+`/checkpoint` → `/clear` → `/task resume <slug>`. Task files live per-project in `./tasks/<slug>.md`
+and carry a small, honest snapshot, so a fresh session rehydrates from ~3k tokens instead of a 150k
+transcript. `/checkpoint` stamps a tamper-evident `## Verification` block; a `status: done` that
+fails its checks is downgraded to FAIL — so "done" actually means done.
+
+## What's in the box
+
+```
+.claude-plugin/plugin.json   manifest + setup prompts
+skills/task/SKILL.md         /task new|resume <slug>
+skills/checkpoint/SKILL.md   /checkpoint  (runs the verifier)
+hooks/hooks.json             SessionStart → resume listing
+hooks/tasks-session-start.mjs
+hooks/verify-checkpoint.mjs  the machine verifier
+.mcp.json                    the Wardrail MCP server (npx -y @wardrail/mcp)
+```
+
+## Requirements
+
+Node 20+ and Claude Code (the plugin uses Claude Code's plugin + MCP support).
+
+## Learn more
+
+- **Wardrail** — the independent trust layer for AI-written code: https://wardrail.ghostables.io
+- **`@wardrail/mcp`** — the MCP server on its own, for Cursor / Windsurf / Claude Desktop: https://www.npmjs.com/package/@wardrail/mcp
+
+MIT licensed.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wardrail/plugin",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "description": "Wardrail Claude Code plugin — consult your project's contract while coding (MCP) plus a checkpoint->clear->resume workflow with machine-verified checkpoints.",
   "type": "module",
   "files": [