claude-warden 1.0.0 → 1.0.2

package/{marketplace.json → .claude-plugin/marketplace.json}

@@ -1,11 +1,19 @@
 {
   "name": "claude-warden",
   "description": "Smart command safety filter for Claude Code",
+  "owner": {
+    "name": "banyudu"
+  },
   "plugins": [
     {
       "name": "claude-warden",
       "description": "Auto-approves safe commands, blocks dangerous ones, prompts for the rest",
-      "source": "."
+      "version": "1.0.1",
+      "author": {
+        "name": "banyudu"
+      },
+      "source": "./",
+      "category": "security"
     }
   ]
 }

package/README.md

@@ -2,15 +2,38 @@
 
 Smart command safety filter for [Claude Code](https://claude.ai/code). Parses shell commands, evaluates each against configurable safety rules, and returns allow/deny/ask decisions — eliminating unnecessary permission prompts while blocking dangerous commands.
 
-## What it does
+## The problem
 
-Without Warden, Claude Code prompts you for **every** shell command. With Warden:
+Claude Code's permission system is all-or-nothing. In the default mode, you're prompted for **every** shell command — even `ls`, `cat`, and `grep`. This creates a painful UX where you're clicking "Allow" hundreds of times per session on obviously safe commands. The alternative (yolo mode) disables all prompts, which is dangerous.
 
-- `ls`, `grep`, `cat`, `git status` → **auto-approved** (100+ safe commands)
-- `sudo`, `shutdown`, `rm -rf /` → **auto-denied**
-- `npm install`, `docker build`, `ssh prod` → **configurable** per-command rules with argument pattern matching
+There's no middle ground: you can't say "allow `git` but block `git push --force`", or "allow `ssh` to my dev server but prompt for production". And compound commands like `npm run build && npm test` trigger a single opaque prompt with no visibility into what's actually being run.
 
-It handles pipes, chains (`&&`, `||`, `;`), env prefixes, `sh -c` wrappers, and subshells. If any command in a pipeline is denied, the whole pipeline is denied.
+## How Warden solves it
+
+Warden hooks into Claude Code's `PreToolUse` event and **parses every shell command into an AST** using [bash-parser](https://github.com/vorpaljs/bash-parser). This means it doesn't just see `npm run build && git push --force` as a single string — it walks the AST to extract each individual command, then evaluates them independently against a configurable rule engine.
+
+This AST-based approach enables:
+
+- **Pipe and chain decomposition**: `cat file | grep pattern | wc -l` is parsed into three commands, each evaluated separately. All safe → auto-allow. One dangerous → deny the whole pipeline.
+- **Argument-aware rules**: `git status` → allow, `git push --force` → prompt. `rm temp.txt` → allow, `rm -rf /` → deny. The evaluator matches against argument patterns, not just command names.
+- **Recursive evaluation of remote commands**: `ssh devserver 'cat /etc/hosts'` → Warden extracts the remote command, parses it through the same pipeline, and allows it. `ssh devserver 'sudo rm -rf /'` → denied. Same for `docker exec`, `kubectl exec`, and `sprite exec`.
+- **Shell wrapper unwrapping**: `sh -c "npm run build && npm test"` → the inner command is extracted and recursively parsed/evaluated, not treated as an opaque string.
+- **Env prefix handling**: `NODE_ENV=production npm run build` → correctly evaluates `npm run build`, ignoring the env prefix.
+- **Subshell detection**: Commands with `$()` or backticks are flagged for prompting, since their actual content can't be statically evaluated.
+
+The result: **100+ common dev commands auto-approved**, dangerous commands auto-denied, everything else configurable — with zero changes to how you use Claude Code.
+
+### Before and after
+
+| Command | Without Warden | With Warden |
+|---------|---------------|-------------|
+| `ls -la` | Prompted | Auto-allowed |
+| `cat file \| grep pattern \| wc -l` | Prompted | Auto-allowed (3 safe commands) |
+| `npm run build && npm test` | Prompted | Auto-allowed |
+| `git push --force origin main` | Prompted | Prompted (force push is risky) |
+| `sudo rm -rf /` | Prompted | Auto-denied |
+| `ssh devserver cat /etc/hosts` | Prompted | Auto-allowed (trusted host + safe cmd) |
+| `ssh devserver sudo rm -rf /` | Prompted | Auto-denied (trusted host + dangerous cmd) |
 
 ## Install
 
@@ -114,13 +137,23 @@ File readers (`cat`, `head`, `tail`, `less`), search tools (`grep`, `rg`, `find`
 ### Conditional rules
 Commands like `node`, `npx`, `docker`, `ssh`, `git push --force`, `rm` have argument-aware rules. For example, `git` is allowed but `git push --force` triggers a prompt.
 
+### Trusted remote targets
+Configure trusted hosts/containers/contexts to auto-allow connections and recursively evaluate remote commands:
+- **SSH**: `trustedSSHHosts` — also covers `scp` and `rsync`
+- **Docker**: `trustedDockerContainers` — for `docker exec`
+- **kubectl**: `trustedKubectlContexts` — for `kubectl exec` (requires explicit `--context`)
+- **Sprite**: `trustedSprites` — for `sprite exec`/`console`
+
+All support glob patterns: `*`, `?`, `[...]`, `[!...]`, `{a,b,c}`
+
 ## How it works
 
 1. Claude Code calls the `PreToolUse` hook before every Bash command
-2. Warden parses the command into individual parts (handling pipes, chains, env prefixes)
-3. Each part is evaluated: global deny → alwaysDeny → alwaysAllow → command rules → default
-4. For pipelines: any deny → deny whole pipeline, any ask → ask, all allow → allow
-5. Returns the decision via stdout JSON (allow/ask) or exit code 2 (deny)
+2. Warden parses the command into an AST via [bash-parser](https://github.com/vorpaljs/bash-parser), walking the tree to extract individual commands from pipes, chains, logical expressions, and subshells
+3. Shell wrappers (`sh -c`, `bash -c`) and remote commands (`ssh`, `docker exec`, `kubectl exec`, `sprite exec`) are recursively parsed and evaluated
+4. Each command is evaluated through the rule hierarchy: global deny patterns → alwaysDeny → alwaysAllow → trusted remote targets → command-specific rules with argument matching → default decision
+5. Results are combined: any deny → deny whole pipeline, any ask → ask, all allow → allow
+6. Returns the decision via stdout JSON (allow/ask) or exit code 2 (deny)
 
 ## Development
 

package/dist/index.cjs

@@ -18166,33 +18166,39 @@ function convertCommand(node) {
   const raw = rawParts.join(" ");
   return { command, args: args2, envPrefixes, raw };
 }
-function hasCommandExpansion(node) {
-  if (node.type === "CommandExpansion") return true;
+function collectCommandExpansions(node) {
+  const commands = [];
   if (node.type === "Command") {
     const cmd = node;
     if (cmd.suffix) {
       for (const s of cmd.suffix) {
         if (s.type === "Word" && s.expansion) {
           for (const exp of s.expansion) {
-            if (exp.type === "CommandExpansion") return true;
+            if (exp.type === "CommandExpansion" && exp.command) {
+              commands.push(exp.command);
+            }
           }
         }
       }
     }
     if (cmd.name?.expansion) {
       for (const exp of cmd.name.expansion) {
-        if (exp.type === "CommandExpansion") return true;
+        if (exp.type === "CommandExpansion" && exp.command) {
+          commands.push(exp.command);
+        }
       }
     }
   }
-  return false;
+  return commands;
 }
 function walkNode(node, result) {
   switch (node.type) {
     case "Command": {
       const cmd = node;
-      if (hasCommandExpansion(node)) {
+      const expansions = collectCommandExpansions(node);
+      if (expansions.length > 0) {
         result.hasSubshell = true;
+        result.subshellCommands.push(...expansions);
       }
       const parsed = convertCommand(cmd);
       if (!parsed) break;
@@ -18205,6 +18211,7 @@ function walkNode(node, result) {
           if (innerResult.hasSubshell) {
             result.hasSubshell = true;
           }
+          result.subshellCommands.push(...innerResult.subshellCommands);
         }
       } else {
         result.commands.push(parsed);
@@ -18249,35 +18256,35 @@ function walkNode(node, result) {
 }
 function parseCommand(input) {
   if (!input || !input.trim()) {
-    return { commands: [], hasSubshell: false, parseError: false };
+    return { commands: [], hasSubshell: false, subshellCommands: [], parseError: false };
   }
   const hasHeredoc = HEREDOC_REGEX.test(input);
   if (hasHeredoc) {
     const firstLine = input.split("\n")[0];
     const cmdPart = firstLine.replace(/<<-?\s*['"]?\w+['"]?.*$/, "").trim();
     if (!cmdPart) {
-      return { commands: [], hasSubshell: false, parseError: true };
+      return { commands: [], hasSubshell: false, subshellCommands: [], parseError: true };
     }
     try {
       const ast = (0, import_bash_parser.default)(cmdPart);
-      const result = { commands: [], hasSubshell: false };
+      const result = { commands: [], hasSubshell: false, subshellCommands: [] };
       for (const cmd of ast.commands) {
         walkNode(cmd, result);
       }
-      return { commands: result.commands, hasSubshell: true, parseError: false };
+      return { commands: result.commands, hasSubshell: true, subshellCommands: result.subshellCommands, parseError: false };
     } catch {
-      return { commands: [], hasSubshell: true, parseError: true };
+      return { commands: [], hasSubshell: true, subshellCommands: [], parseError: true };
     }
   }
   try {
     const ast = (0, import_bash_parser.default)(input);
-    const result = { commands: [], hasSubshell: false };
+    const result = { commands: [], hasSubshell: false, subshellCommands: [] };
     for (const cmd of ast.commands) {
       walkNode(cmd, result);
     }
-    return { commands: result.commands, hasSubshell: result.hasSubshell, parseError: false };
+    return { commands: result.commands, hasSubshell: result.hasSubshell, subshellCommands: result.subshellCommands, parseError: false };
   } catch {
-    return { commands: [], hasSubshell: false, parseError: true };
+    return { commands: [], hasSubshell: false, subshellCommands: [], parseError: true };
   }
 }
 
@@ -18289,7 +18296,18 @@ function evaluate(parsed, config) {
   if (parsed.commands.length === 0) {
     return { decision: "allow", reason: "Empty command", details: [] };
   }
-  if (parsed.hasSubshell && config.askOnSubshell) {
+  if (parsed.hasSubshell && parsed.subshellCommands.length > 0) {
+    for (const subCmd of parsed.subshellCommands) {
+      const subParsed = parseCommand(subCmd);
+      const subResult = evaluate(subParsed, config);
+      if (subResult.decision === "deny") {
+        return { decision: "deny", reason: `Subshell command: ${subResult.reason}`, details: subResult.details };
+      }
+      if (subResult.decision === "ask") {
+        return { decision: "ask", reason: `Subshell command: ${subResult.reason}`, details: subResult.details };
+      }
+    }
+  } else if (parsed.hasSubshell && parsed.subshellCommands.length === 0 && config.askOnSubshell) {
     return { decision: "ask", reason: "Command contains subshell/command substitution", details: [] };
   }
   const details = [];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-warden",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "Smart command safety filter for Claude Code — auto-approves safe commands, blocks dangerous ones",
   "type": "module",
   "main": "dist/index.cjs",