claude-warden 1.0.2 → 1.1.0

package/README.md

@@ -19,7 +19,8 @@ This AST-based approach enables:
 - **Recursive evaluation of remote commands**: `ssh devserver 'cat /etc/hosts'` → Warden extracts the remote command, parses it through the same pipeline, and allows it. `ssh devserver 'sudo rm -rf /'` → denied. Same for `docker exec`, `kubectl exec`, and `sprite exec`.
 - **Shell wrapper unwrapping**: `sh -c "npm run build && npm test"` → the inner command is extracted and recursively parsed/evaluated, not treated as an opaque string.
 - **Env prefix handling**: `NODE_ENV=production npm run build` → correctly evaluates `npm run build`, ignoring the env prefix.
-- **Subshell detection**: Commands with `$()` or backticks are flagged for prompting, since their actual content can't be statically evaluated.
+- **Recursive subshell evaluation**: Commands with `$()` or backticks are extracted, parsed, and recursively evaluated through the same pipeline. `echo $(cat file.txt)` → both `echo` and `cat` are evaluated individually. Only unparseable constructs (heredocs, complex shell syntax) fall back to prompting when `askOnSubshell` is enabled.
+- **Feedback on blocked commands**: When a command is blocked or flagged, Warden provides a system message explaining why and a YAML snippet showing how to allow it in your config.
 
 The result: **100+ common dev commands auto-approved**, dangerous commands auto-denied, everything else configurable — with zero changes to how you use Claude Code.
 
@@ -70,6 +71,21 @@ Warden works out of the box with sensible defaults. To customize, create a confi
 
 Copy [config/warden.default.yaml](config/warden.default.yaml) as a starting point.
 
+### Config priority (scoped layers)
+
+Config is evaluated in layers with **project > user > default** priority:
+
+1. **Project-level** (`.claude/warden.yaml`) — highest priority
+2. **User-level** (`~/.claude/warden.yaml`)
+3. **Built-in defaults**
+
+Within each layer, `alwaysDeny` is checked before `alwaysAllow`. The first layer with a matching entry wins. For command-specific rules, the first layer that defines a rule for a given command wins.
+
+This means:
+- A project `alwaysDeny` for `curl` overrides a user `alwaysAllow` for `curl`
+- A user `alwaysAllow` for `sudo` overrides the default `alwaysDeny` for `sudo`
+- A project rule for `npm` overrides the default rule for `npm`
+
 ### Config options
 
 ```yaml
@@ -79,18 +95,13 @@ defaultDecision: ask
 # Trigger "ask" for commands with $() or backticks
 askOnSubshell: true
 
-# Add commands to always allow/deny
+# Add commands to always allow/deny (scoped to this config level)
 alwaysAllow:
   - terraform
   - flyctl
 alwaysDeny:
   - nc
 
-# Block patterns (regex against full command string)
-globalDeny:
-  - pattern: 'curl.*evil\.com'
-    reason: 'Blocked domain'
-
 # Trusted remote targets (auto-allow connection, evaluate remote commands)
 trustedSSHHosts:
   - devserver
@@ -103,7 +114,7 @@ trustedKubectlContexts:
 trustedSprites:
   - my-sprite
 
-# Per-command rules (override built-in defaults)
+# Per-command rules (override built-in defaults for this scope)
 rules:
   - command: npx
     default: allow
@@ -116,9 +127,14 @@ rules:
         description: Read-only docker commands
 ```
 
-### Config priority
+## Feedback and `/warden-allow`
+
+When Warden blocks or flags a command, it includes a system message explaining:
 
-Project `.claude/warden.yaml` > User `~/.claude/warden.yaml` > Built-in defaults
+1. **Why** the command was blocked/flagged (per-command reasons)
+2. **How to allow it** — a ready-to-use YAML snippet for your config
+
+Use the `/warden-allow` slash command to apply the suggested config change. It will ask which scope (project or user) to use.
 
 ## Built-in defaults
 
@@ -128,14 +144,11 @@ File readers (`cat`, `head`, `tail`, `less`), search tools (`grep`, `rg`, `find`
 ### Always denied
 `sudo`, `su`, `mkfs`, `fdisk`, `dd`, `shutdown`, `reboot`, `iptables`, `crontab`, `systemctl`, `launchctl`
 
-### Global deny patterns
-- `rm -rf` (recursive force delete)
-- Direct writes to block devices
-- `chmod -R 777`
-- Fork bombs
-
 ### Conditional rules
-Commands like `node`, `npx`, `docker`, `ssh`, `git push --force`, `rm` have argument-aware rules. For example, `git` is allowed but `git push --force` triggers a prompt.
+Commands like `node`, `npx`, `docker`, `ssh`, `git push --force`, `rm`, `chmod` have argument-aware rules. For example:
+- `git` is allowed but `git push --force` triggers a prompt
+- `rm temp.txt` is allowed but `rm -rf /` is denied
+- `chmod 644 file` prompts but `chmod -R 777 /var` is denied
 
 ### Trusted remote targets
 Configure trusted hosts/containers/contexts to auto-allow connections and recursively evaluate remote commands:
@@ -151,9 +164,9 @@ All support glob patterns: `*`, `?`, `[...]`, `[!...]`, `{a,b,c}`
 1. Claude Code calls the `PreToolUse` hook before every Bash command
 2. Warden parses the command into an AST via [bash-parser](https://github.com/vorpaljs/bash-parser), walking the tree to extract individual commands from pipes, chains, logical expressions, and subshells
 3. Shell wrappers (`sh -c`, `bash -c`) and remote commands (`ssh`, `docker exec`, `kubectl exec`, `sprite exec`) are recursively parsed and evaluated
-4. Each command is evaluated through the rule hierarchy: global deny patterns → alwaysDeny → alwaysAllow → trusted remote targets → command-specific rules with argument matching → default decision
+4. Each command is evaluated through the rule hierarchy: alwaysDeny → alwaysAllow → trusted remote targets → command-specific rules with argument matching → default decision (checked per layer in priority order)
 5. Results are combined: any deny → deny whole pipeline, any ask → ask, all allow → allow
-6. Returns the decision via stdout JSON (allow/ask) or exit code 2 (deny)
+6. Returns the decision via stdout JSON (allow/ask) or exit code 2 (deny), with a system message explaining the reasoning for deny/ask decisions
 
 ## Development
 

package/config/warden.default.yaml

@@ -1,7 +1,11 @@
 # Claude Warden - Default Configuration Reference
 #
-# Copy to ~/.claude/warden.yaml or .claude/warden.yaml (project-level) to customize.
-# Project-level config overrides user-level config, which overrides defaults.
+# Copy to ~/.claude/warden.yaml (user-level) or .claude/warden.yaml (project-level) to customize.
+#
+# Config priority: project > user > built-in defaults.
+# Within each scope, alwaysDeny is checked before alwaysAllow, and the first
+# scope with a matching rule wins (e.g. a project rule overrides a user rule
+# for the same command).
 
 # Default decision for commands not covered by any rule: allow | deny | ask
 defaultDecision: ask
@@ -9,22 +13,17 @@ defaultDecision: ask
 # If true, commands containing $() or backticks trigger "ask"
 askOnSubshell: true
 
-# Additional commands to always allow (appended to built-in list)
+# Additional commands to always allow (checked after alwaysDeny within this scope)
 # alwaysAllow:
 #   - terraform
 #   - flyctl
 #   - my-safe-tool
 
-# Additional commands to always deny (appended to built-in list)
+# Additional commands to always deny (checked first within this scope)
 # alwaysDeny:
 #   - nc
 #   - ncat
 
-# Additional global deny patterns (regex against full command string)
-# globalDeny:
-#   - pattern: 'curl.*evil\\.com'
-#     reason: 'Blocked domain'
-
 # Trusted SSH hosts — ssh/scp/rsync to these hosts are auto-allowed.
 # Remote commands on trusted hosts are recursively evaluated through warden rules.
 # Supports glob patterns (* wildcards).
@@ -52,16 +51,15 @@ askOnSubshell: true
 #   - my-sprite
 #   - dev-*
 
-# Command-specific rules (override built-in rules by command name)
+# Command-specific rules (override built-in rules by command name).
+# The first scope (project > user > default) with a rule for a given command wins.
 # rules:
 #   - command: npx
 #     default: allow          # Trust all npx in this project
 #   - command: docker
-#     default: allow          # Trust docker in this project
-#   - command: ssh
-#     default: allow
+#     default: ask
 #     argPatterns:
 #       - match:
-#           anyArgMatches: ['^devserver$', '^staging$']
+#           anyArgMatches: ['^(ps|images|logs)$']
 #         decision: allow
-#         description: Known safe SSH targets
+#         description: Read-only docker commands

package/dist/index.cjs

@@ -18335,16 +18335,13 @@ function evaluate(parsed, config) {
 }
 function evaluateCommand(cmd, config) {
   const { command, args: args2 } = cmd;
-  for (const gp of config.globalDeny || []) {
-    if (new RegExp(gp.pattern).test(cmd.raw)) {
-      return { command, args: args2, decision: "deny", reason: gp.reason, matchedRule: "globalDeny" };
+  for (const layer of config.layers) {
+    if (layer.alwaysDeny.includes(command)) {
+      return { command, args: args2, decision: "deny", reason: `"${command}" is blocked`, matchedRule: "alwaysDeny" };
+    }
+    if (layer.alwaysAllow.includes(command)) {
+      return { command, args: args2, decision: "allow", reason: `"${command}" is safe`, matchedRule: "alwaysAllow" };
     }
-  }
-  if (config.alwaysDeny?.includes(command)) {
-    return { command, args: args2, decision: "deny", reason: `"${command}" is blocked`, matchedRule: "alwaysDeny" };
-  }
-  if (config.alwaysAllow?.includes(command)) {
-    return { command, args: args2, decision: "allow", reason: `"${command}" is safe`, matchedRule: "alwaysAllow" };
   }
   if ((command === "ssh" || command === "scp" || command === "rsync") && config.trustedSSHHosts?.length) {
     const sshResult = evaluateSSHCommand(cmd, config);
@@ -18362,9 +18359,11 @@ function evaluateCommand(cmd, config) {
     const spriteResult = evaluateSpriteExec(cmd, config);
     if (spriteResult) return spriteResult;
   }
-  const rule = config.rules.find((r) => r.command === command);
-  if (rule) {
-    return evaluateRule(cmd, rule);
+  for (const layer of config.layers) {
+    const rule = layer.rules.find((r) => r.command === command);
+    if (rule) {
+      return evaluateRule(cmd, rule);
+    }
   }
   return { command, args: args2, decision: config.defaultDecision, reason: `No rule for "${command}"`, matchedRule: "default" };
 }
@@ -18438,7 +18437,6 @@ function globToRegex(pattern) {
     } else if (ch === "?") {
       regex += ".";
     } else if (ch === "[") {
-      const start = i;
       i++;
       if (i < pattern.length && pattern[i] === "!") {
         regex += "[^";
@@ -18793,288 +18791,327 @@ var DEFAULT_CONFIG = {
   trustedDockerContainers: [],
   trustedKubectlContexts: [],
   trustedSprites: [],
-  alwaysAllow: [
-    // Read-only file operations
-    "cat",
-    "head",
-    "tail",
-    "less",
-    "more",
-    "wc",
-    "sort",
-    "uniq",
-    "tee",
-    "diff",
-    "comm",
-    "cut",
-    "paste",
-    "tr",
-    "fold",
-    "expand",
-    "unexpand",
-    "column",
-    "rev",
-    "tac",
-    "nl",
-    "od",
-    "xxd",
-    "file",
-    "stat",
-    // Search/find
-    "grep",
-    "egrep",
-    "fgrep",
-    "rg",
-    "ag",
-    "ack",
-    "find",
-    "fd",
-    "fzf",
-    "locate",
-    "which",
-    "whereis",
-    "type",
-    "command",
-    // Directory listing
-    "ls",
-    "dir",
-    "tree",
-    "exa",
-    "eza",
-    "lsd",
-    // Path/string utilities
-    "basename",
-    "dirname",
-    "realpath",
-    "readlink",
-    "echo",
-    "printf",
-    "true",
-    "false",
-    "test",
-    "[",
-    // Date/time
-    "date",
-    "cal",
-    // Environment info
-    "env",
-    "printenv",
-    "uname",
-    "hostname",
-    "whoami",
-    "id",
-    "pwd",
-    // Process viewing (read-only)
-    "ps",
-    "top",
-    "htop",
-    "uptime",
-    "free",
-    "df",
-    "du",
-    "lsof",
-    // Text processing
-    "sed",
-    "awk",
-    "jq",
-    "yq",
-    "xargs",
-    "seq",
-    // Pagers and formatters
-    "bat",
-    "pygmentize",
-    "highlight",
-    // Version managers (read-only)
-    "nvm",
-    "fnm",
-    "nvm",
-    "rbenv",
-    "pyenv",
-    // Misc safe
-    "cd",
-    "pushd",
-    "popd",
-    "dirs",
-    "hash",
-    "alias",
-    "sleep",
-    "wait",
-    "time",
-    "md5",
-    "md5sum",
-    "sha256sum",
-    "shasum",
-    "cksum",
-    "base64",
-    "openssl"
-  ],
-  alwaysDeny: [
-    "sudo",
-    "su",
-    "doas",
-    "mkfs",
-    "fdisk",
-    "dd",
-    "shutdown",
-    "reboot",
-    "halt",
-    "poweroff",
-    "iptables",
-    "ip6tables",
-    "nft",
-    "useradd",
-    "userdel",
-    "usermod",
-    "groupadd",
-    "groupdel",
-    "crontab",
-    "systemctl",
-    "service",
-    "launchctl"
-  ],
-  globalDeny: [
-    { pattern: "rm\\s+-[^\\s]*r[^\\s]*f|rm\\s+-[^\\s]*f[^\\s]*r", reason: "Recursive force delete" },
-    { pattern: ">\\/dev\\/sd|>\\/dev\\/nvme|>\\/dev\\/hd", reason: "Direct write to block device" },
-    { pattern: "chmod\\s+-R\\s+777", reason: "Recursively setting world-writable permissions" },
-    { pattern: ":\\(\\)\\s*\\{", reason: "Fork bomb pattern detected" }
-  ],
-  rules: [
-    // --- Node.js ecosystem ---
-    {
-      command: "node",
-      default: "ask",
-      argPatterns: [
-        { match: { anyArgMatches: ["^-e$", "^--eval", "^-p$", "^--print"] }, decision: "ask", reason: "Evaluating inline code" },
-        { match: { anyArgMatches: ["^--(version|help)$", "^-[vh]$"] }, decision: "allow", description: "Version/help flags" },
-        { match: { noArgs: true }, decision: "ask", reason: "Interactive REPL" }
-      ]
-    },
-    {
-      command: "npx",
-      default: "ask",
-      argPatterns: [
-        {
-          match: { anyArgMatches: ["^(jest|vitest|tsx|ts-node|tsc|eslint|prettier|rimraf|mkdirp|concurrently|turbo|next|nuxt|vite|astro|playwright|cypress|mocha|nyc|c8|nodemon|ts-jest|tsup|esbuild|rollup|webpack|prisma|drizzle-kit|typeorm|knex|sequelize-cli|tailwindcss|postcss|autoprefixer|lint-staged|husky|changeset|semantic-release|lerna|nx|create-react-app|create-next-app|create-vite|degit|storybook|wrangler|netlify|vercel)$"] },
-          decision: "allow",
-          description: "Well-known dev tools"
-        },
-        { match: { anyArgMatches: ["^--(version|help)$", "^-[vh]$"] }, decision: "allow", description: "Version/help flags" }
-      ]
-    },
-    {
-      command: "bunx",
-      default: "ask",
-      argPatterns: [
-        {
-          match: { anyArgMatches: ["^(jest|vitest|tsx|tsc|eslint|prettier|turbo|next|vite|astro|playwright|prisma|drizzle-kit|tsup|esbuild|tailwindcss|storybook|wrangler)$"] },
-          decision: "allow",
-          description: "Well-known dev tools"
-        }
-      ]
-    },
-    {
-      command: "npm",
-      default: "allow",
-      argPatterns: [
-        { match: { anyArgMatches: ["^(publish|unpublish|deprecate|owner|access|token|adduser|login)$"] }, decision: "ask", reason: "Registry modification" }
-      ]
-    },
-    { command: "pnpm", default: "allow", argPatterns: [{ match: { anyArgMatches: ["^publish$"] }, decision: "ask", reason: "Publishing" }] },
-    { command: "yarn", default: "allow", argPatterns: [{ match: { anyArgMatches: ["^publish$"] }, decision: "ask", reason: "Publishing" }] },
-    {
-      command: "bun",
-      default: "ask",
-      argPatterns: [
-        { match: { anyArgMatches: ["^(install|add|remove|run|test|build|init|create|pm|x|upgrade|link|unlink)$"] }, decision: "allow", description: "Standard bun commands" },
-        { match: { anyArgMatches: ["^--(version|help)$"] }, decision: "allow" }
-      ]
-    },
-    // --- Python ---
-    {
-      command: "python",
-      default: "ask",
-      argPatterns: [
-        { match: { anyArgMatches: ["^--(version|help)$", "^-V$"] }, decision: "allow" }
-      ]
-    },
-    {
-      command: "python3",
-      default: "ask",
-      argPatterns: [
-        { match: { anyArgMatches: ["^--(version|help)$", "^-V$"] }, decision: "allow" }
-      ]
-    },
-    { command: "pip", default: "allow" },
-    { command: "pip3", default: "allow" },
-    { command: "uv", default: "allow" },
-    { command: "pipx", default: "ask" },
-    // --- Git ---
-    {
-      command: "git",
-      default: "allow",
-      argPatterns: [
-        { match: { argsMatch: ["push\\s+--force", "push\\s+-f\\b"] }, decision: "ask", reason: "Force push can overwrite remote history" },
-        { match: { argsMatch: ["reset\\s+--hard"] }, decision: "ask", reason: "Hard reset discards changes" },
-        { match: { anyArgMatches: ["^clean$"] }, decision: "ask", reason: "git clean removes untracked files" }
-      ]
-    },
-    { command: "gh", default: "allow" },
-    // --- Build tools ---
-    { command: "make", default: "allow" },
-    { command: "cmake", default: "allow" },
-    { command: "cargo", default: "allow" },
-    { command: "go", default: "allow" },
-    { command: "rustup", default: "allow" },
-    { command: "tsc", default: "allow" },
-    { command: "turbo", default: "allow" },
-    { command: "nx", default: "allow" },
-    { command: "lerna", default: "allow" },
-    // --- Docker ---
-    {
-      command: "docker",
-      default: "ask",
-      argPatterns: [
-        { match: { anyArgMatches: ["^(ps|images|logs|inspect|stats|top|version|info)$"] }, decision: "allow", description: "Read-only docker commands" },
-        { match: { anyArgMatches: ["^(build|run|compose|exec|pull|stop|start|restart|create)$"] }, decision: "ask", reason: "Docker state-changing operation" },
-        { match: { anyArgMatches: ["^(system\\s+prune|container\\s+prune|image\\s+prune)$"] }, decision: "ask", reason: "Docker prune operations" }
-      ]
-    },
-    { command: "docker-compose", default: "ask" },
-    { command: "kubectl", default: "ask" },
-    // --- File operations ---
-    {
-      command: "rm",
-      default: "ask",
-      argPatterns: [
-        { match: { argsMatch: ["-[^\\s]*r"] }, decision: "ask", reason: "Recursive delete" },
-        { match: { argCount: { max: 3 }, not: false }, decision: "allow", description: "Deleting a small number of non-recursive files" }
-      ]
-    },
-    { command: "mkdir", default: "allow" },
-    { command: "touch", default: "allow" },
-    { command: "cp", default: "allow" },
-    { command: "mv", default: "allow" },
-    { command: "ln", default: "allow" },
-    { command: "chmod", default: "ask" },
-    { command: "chown", default: "ask" },
-    // --- Network ---
-    { command: "curl", default: "allow" },
-    { command: "wget", default: "allow" },
-    { command: "ssh", default: "ask" },
-    { command: "scp", default: "ask" },
-    { command: "rsync", default: "ask" },
-    // --- Package managers ---
-    { command: "brew", default: "allow" },
-    { command: "apt", default: "ask" },
-    { command: "apt-get", default: "ask" },
-    { command: "yum", default: "ask" },
-    { command: "dnf", default: "ask" },
-    { command: "pacman", default: "ask" },
-    // --- Terraform / IaC ---
-    { command: "terraform", default: "ask", argPatterns: [
-      { match: { anyArgMatches: ["^(plan|validate|fmt|show|state|output|providers|version|graph|console)$"] }, decision: "allow", description: "Read-only terraform commands" }
-    ] }
-  ]
+  layers: [{
+    alwaysAllow: [
+      // Read-only file operations
+      "cat",
+      "head",
+      "tail",
+      "less",
+      "more",
+      "wc",
+      "sort",
+      "uniq",
+      "tee",
+      "diff",
+      "comm",
+      "cut",
+      "paste",
+      "tr",
+      "fold",
+      "expand",
+      "unexpand",
+      "column",
+      "rev",
+      "tac",
+      "nl",
+      "od",
+      "xxd",
+      "file",
+      "stat",
+      // Search/find
+      "grep",
+      "egrep",
+      "fgrep",
+      "rg",
+      "ag",
+      "ack",
+      "find",
+      "fd",
+      "fzf",
+      "locate",
+      "which",
+      "whereis",
+      "type",
+      "command",
+      // Directory listing
+      "ls",
+      "dir",
+      "tree",
+      "exa",
+      "eza",
+      "lsd",
+      // Path/string utilities
+      "basename",
+      "dirname",
+      "realpath",
+      "readlink",
+      "echo",
+      "printf",
+      "true",
+      "false",
+      "test",
+      "[",
+      // Date/time
+      "date",
+      "cal",
+      // Environment info
+      "env",
+      "printenv",
+      "uname",
+      "hostname",
+      "whoami",
+      "id",
+      "pwd",
+      // Process viewing (read-only)
+      "ps",
+      "top",
+      "htop",
+      "uptime",
+      "free",
+      "df",
+      "du",
+      "lsof",
+      // Text processing
+      "sed",
+      "awk",
+      "jq",
+      "yq",
+      "xargs",
+      "seq",
+      // Pagers and formatters
+      "bat",
+      "pygmentize",
+      "highlight",
+      // Version managers (read-only)
+      "nvm",
+      "fnm",
+      "rbenv",
+      "pyenv",
+      // Misc safe
+      "cd",
+      "pushd",
+      "popd",
+      "dirs",
+      "hash",
+      "alias",
+      "sleep",
+      "wait",
+      "time",
+      "md5",
+      "md5sum",
+      "sha256sum",
+      "shasum",
+      "cksum",
+      "base64",
+      "openssl"
+    ],
+    alwaysDeny: [
+      "sudo",
+      "su",
+      "doas",
+      "mkfs",
+      "fdisk",
+      "dd",
+      "shutdown",
+      "reboot",
+      "halt",
+      "poweroff",
+      "iptables",
+      "ip6tables",
+      "nft",
+      "useradd",
+      "userdel",
+      "usermod",
+      "groupadd",
+      "groupdel",
+      "crontab",
+      "systemctl",
+      "service",
+      "launchctl"
+    ],
+    rules: [
+      // --- Node.js ecosystem ---
+      {
+        command: "node",
+        default: "ask",
+        argPatterns: [
+          { match: { anyArgMatches: ["^-e$", "^--eval", "^-p$", "^--print"] }, decision: "ask", reason: "Evaluating inline code" },
+          { match: { anyArgMatches: ["^--(version|help)$", "^-[vh]$"] }, decision: "allow", description: "Version/help flags" },
+          { match: { noArgs: true }, decision: "ask", reason: "Interactive REPL" }
+        ]
+      },
+      {
+        command: "npx",
+        default: "ask",
+        argPatterns: [
+          {
+            match: { anyArgMatches: ["^(jest|vitest|tsx|ts-node|tsc|eslint|prettier|mkdirp|concurrently|turbo|next|nuxt|vite|astro|playwright|cypress|mocha|nyc|c8|nodemon|ts-jest|tsup|esbuild|rollup|webpack|prisma|drizzle-kit|typeorm|knex|sequelize-cli|tailwindcss|postcss|autoprefixer|lint-staged|husky|changeset|semantic-release|lerna|nx|create-react-app|create-next-app|create-vite|degit|storybook|wrangler|netlify|vercel)$"] },
+            decision: "allow",
+            description: "Well-known dev tools"
+          },
+          { match: { anyArgMatches: ["^--(version|help)$", "^-[vh]$"] }, decision: "allow", description: "Version/help flags" }
+        ]
+      },
+      {
+        command: "bunx",
+        default: "ask",
+        argPatterns: [
+          {
+            match: { anyArgMatches: ["^(jest|vitest|tsx|ts-node|tsc|eslint|prettier|mkdirp|concurrently|turbo|next|nuxt|vite|astro|playwright|cypress|mocha|nyc|c8|nodemon|ts-jest|tsup|esbuild|rollup|webpack|prisma|drizzle-kit|typeorm|knex|sequelize-cli|tailwindcss|postcss|autoprefixer|lint-staged|husky|changeset|semantic-release|lerna|nx|create-react-app|create-next-app|create-vite|degit|storybook|wrangler|netlify|vercel)$"] },
+            decision: "allow",
+            description: "Well-known dev tools"
+          },
+          { match: { anyArgMatches: ["^--(version|help)$", "^-[vh]$"] }, decision: "allow", description: "Version/help flags" }
+        ]
+      },
+      {
+        command: "npm",
+        default: "allow",
+        argPatterns: [
+          { match: { anyArgMatches: ["^(publish|unpublish|deprecate|owner|access|token|adduser|login)$"] }, decision: "ask", reason: "Registry modification" }
+        ]
+      },
+      {
+        command: "pnpm",
+        default: "allow",
+        argPatterns: [
+          { match: { anyArgMatches: ["^(publish|unpublish|deprecate|owner|access|token|adduser|login)$"] }, decision: "ask", reason: "Registry modification" }
+        ]
+      },
+      {
+        command: "yarn",
+        default: "allow",
+        argPatterns: [
+          { match: { anyArgMatches: ["^(publish|unpublish|owner|access|token|login|logout)$"] }, decision: "ask", reason: "Registry modification" }
+        ]
+      },
+      {
+        command: "bun",
+        default: "ask",
+        argPatterns: [
+          { match: { anyArgMatches: ["^(install|add|remove|run|test|build|init|create|pm|x|upgrade|link|unlink)$"] }, decision: "allow", description: "Standard bun commands" },
+          { match: { anyArgMatches: ["^--(version|help)$"] }, decision: "allow" }
+        ]
+      },
+      // --- Python ---
+      {
+        command: "python",
+        default: "ask",
+        argPatterns: [
+          { match: { anyArgMatches: ["^--(version|help)$", "^-V$"] }, decision: "allow" }
+        ]
+      },
+      {
+        command: "python3",
+        default: "ask",
+        argPatterns: [
+          { match: { anyArgMatches: ["^--(version|help)$", "^-V$"] }, decision: "allow" }
+        ]
+      },
+      { command: "pip", default: "allow" },
+      { command: "pip3", default: "allow" },
+      {
+        command: "uv",
+        default: "allow",
+        argPatterns: [
+          { match: { anyArgMatches: ["^publish$"] }, decision: "ask", reason: "Publishing to PyPI" }
+        ]
+      },
+      { command: "pipx", default: "ask" },
+      // --- Git ---
+      {
+        command: "git",
+        default: "allow",
+        argPatterns: [
+          { match: { argsMatch: ["push\\s+--force", "push\\s+-f\\b"] }, decision: "ask", reason: "Force push can overwrite remote history" },
+          { match: { argsMatch: ["reset\\s+--hard"] }, decision: "ask", reason: "Hard reset discards changes" },
+          { match: { anyArgMatches: ["^clean$"] }, decision: "ask", reason: "git clean removes untracked files" }
+        ]
+      },
+      {
+        command: "gh",
+        default: "allow",
+        argPatterns: [
+          { match: { argsMatch: ["repo\\s+delete", "repo\\s+archive"] }, decision: "ask", reason: "Destructive repo operation" }
+        ]
+      },
+      // --- Build tools ---
+      { command: "make", default: "allow" },
+      { command: "cmake", default: "allow" },
+      {
+        command: "cargo",
+        default: "allow",
+        argPatterns: [
+          { match: { anyArgMatches: ["^(publish|login|logout|owner|yank)$"] }, decision: "ask", reason: "Registry modification" }
+        ]
+      },
+      {
+        command: "go",
+        default: "allow",
+        argPatterns: [
+          { match: { anyArgMatches: ["^generate$"] }, decision: "ask", reason: "go generate runs arbitrary commands" }
+        ]
+      },
+      { command: "rustup", default: "allow" },
+      { command: "tsc", default: "allow" },
+      { command: "turbo", default: "allow" },
+      { command: "nx", default: "allow" },
+      { command: "lerna", default: "allow" },
+      // --- Docker ---
+      {
+        command: "docker",
+        default: "ask",
+        argPatterns: [
+          { match: { anyArgMatches: ["^(ps|images|logs|inspect|stats|top|version|info)$"] }, decision: "allow", description: "Read-only docker commands" },
+          { match: { anyArgMatches: ["^(build|run|compose|exec|pull|stop|start|restart|create)$"] }, decision: "ask", reason: "Docker state-changing operation" },
+          { match: { anyArgMatches: ["^(system\\s+prune|container\\s+prune|image\\s+prune)$"] }, decision: "ask", reason: "Docker prune operations" }
+        ]
+      },
+      { command: "docker-compose", default: "ask" },
+      { command: "kubectl", default: "ask" },
+      // --- File operations ---
+      {
+        command: "rm",
+        default: "ask",
+        argPatterns: [
+          { match: { argsMatch: ["-[^\\s]*r[^\\s]*f|-[^\\s]*f[^\\s]*r"] }, decision: "deny", reason: "Recursive force delete (rm -rf)" },
+          { match: { argsMatch: ["-[^\\s]*r"] }, decision: "ask", reason: "Recursive delete" },
+          { match: { argCount: { max: 3 }, not: false }, decision: "allow", description: "Deleting a small number of non-recursive files" }
+        ]
+      },
+      { command: "mkdir", default: "allow" },
+      { command: "touch", default: "allow" },
+      { command: "cp", default: "allow" },
+      { command: "mv", default: "allow" },
+      { command: "ln", default: "allow" },
+      {
+        command: "chmod",
+        default: "ask",
+        argPatterns: [
+          { match: { argsMatch: ["-R\\s+777"] }, decision: "deny", reason: "Recursively setting world-writable permissions" }
+        ]
+      },
+      { command: "chown", default: "ask" },
+      // --- Network ---
+      { command: "curl", default: "allow" },
+      { command: "wget", default: "allow" },
+      { command: "ssh", default: "ask" },
+      { command: "scp", default: "ask" },
+      { command: "rsync", default: "ask" },
+      // --- Package managers ---
+      { command: "brew", default: "allow" },
+      { command: "apt", default: "ask" },
+      { command: "apt-get", default: "ask" },
+      { command: "yum", default: "ask" },
+      { command: "dnf", default: "ask" },
+      { command: "pacman", default: "ask" },
+      // --- Terraform / IaC ---
+      { command: "terraform", default: "ask", argPatterns: [
+        { match: { anyArgMatches: ["^(plan|validate|fmt|show|state|output|providers|version|graph|console)$"] }, decision: "allow", description: "Read-only terraform commands" }
+      ] }
+    ]
+  }]
 };
 
 // src/rules.ts
@@ -19088,67 +19125,135 @@ var PROJECT_CONFIG_NAMES = [
 ];
 function loadConfig(cwd) {
   const config = structuredClone(DEFAULT_CONFIG);
+  const defaultLayer = config.layers[0];
+  let userLayer = null;
+  let userRaw = null;
   for (const configPath of USER_CONFIG_PATHS) {
-    if (tryMergeConfigFile(config, configPath)) break;
+    const result = tryLoadFile(configPath);
+    if (result) {
+      userLayer = extractLayer(result);
+      userRaw = result;
+      break;
+    }
   }
+  let workspaceLayer = null;
+  let workspaceRaw = null;
   if (cwd) {
     for (const name of PROJECT_CONFIG_NAMES) {
-      if (tryMergeConfigFile(config, (0, import_path2.join)(cwd, name))) break;
+      const result = tryLoadFile((0, import_path2.join)(cwd, name));
+      if (result) {
+        workspaceLayer = extractLayer(result);
+        workspaceRaw = result;
+        break;
+      }
     }
   }
+  config.layers = [
+    ...workspaceLayer ? [workspaceLayer] : [],
+    ...userLayer ? [userLayer] : [],
+    defaultLayer
+  ];
+  if (userRaw) mergeNonLayerFields(config, userRaw);
+  if (workspaceRaw) mergeNonLayerFields(config, workspaceRaw);
   return config;
 }
-function tryMergeConfigFile(config, filePath) {
-  if (!(0, import_fs.existsSync)(filePath)) return false;
+function tryLoadFile(filePath) {
+  if (!(0, import_fs.existsSync)(filePath)) return null;
   try {
     const raw = (0, import_fs.readFileSync)(filePath, "utf-8");
     const parsed = filePath.endsWith(".yaml") || filePath.endsWith(".yml") ? (0, import_yaml.parse)(raw) : JSON.parse(raw);
     if (parsed && typeof parsed === "object") {
-      mergeConfig(config, parsed);
-      return true;
+      return parsed;
     }
   } catch {
   }
-  return false;
+  return null;
 }
-function mergeConfig(base, override) {
-  if (override.alwaysAllow) {
-    base.alwaysAllow = [...base.alwaysAllow || [], ...override.alwaysAllow];
+function extractLayer(raw) {
+  return {
+    alwaysAllow: Array.isArray(raw.alwaysAllow) ? raw.alwaysAllow : [],
+    alwaysDeny: Array.isArray(raw.alwaysDeny) ? raw.alwaysDeny : [],
+    rules: Array.isArray(raw.rules) ? raw.rules : []
+  };
+}
+function mergeNonLayerFields(config, raw) {
+  if (Array.isArray(raw.trustedSSHHosts)) {
+    config.trustedSSHHosts = [...config.trustedSSHHosts || [], ...raw.trustedSSHHosts];
   }
-  if (override.alwaysDeny) {
-    base.alwaysDeny = [...base.alwaysDeny || [], ...override.alwaysDeny];
+  if (Array.isArray(raw.trustedDockerContainers)) {
+    config.trustedDockerContainers = [...config.trustedDockerContainers || [], ...raw.trustedDockerContainers];
   }
-  if (override.globalDeny) {
-    base.globalDeny = [...base.globalDeny || [], ...override.globalDeny];
+  if (Array.isArray(raw.trustedKubectlContexts)) {
+    config.trustedKubectlContexts = [...config.trustedKubectlContexts || [], ...raw.trustedKubectlContexts];
   }
-  if (override.trustedSSHHosts) {
-    base.trustedSSHHosts = [...base.trustedSSHHosts || [], ...override.trustedSSHHosts];
+  if (Array.isArray(raw.trustedSprites)) {
+    config.trustedSprites = [...config.trustedSprites || [], ...raw.trustedSprites];
   }
-  if (override.trustedDockerContainers) {
-    base.trustedDockerContainers = [...base.trustedDockerContainers || [], ...override.trustedDockerContainers];
+  if (typeof raw.defaultDecision === "string") {
+    config.defaultDecision = raw.defaultDecision;
   }
-  if (override.trustedKubectlContexts) {
-    base.trustedKubectlContexts = [...base.trustedKubectlContexts || [], ...override.trustedKubectlContexts];
+  if (typeof raw.askOnSubshell === "boolean") {
+    config.askOnSubshell = raw.askOnSubshell;
   }
-  if (override.trustedSprites) {
-    base.trustedSprites = [...base.trustedSprites || [], ...override.trustedSprites];
+}
+
+// src/suggest.ts
+function generateAllowSnippet(details) {
+  const lines = [];
+  const alwaysAllowCmds = [];
+  const ruleCmds = [];
+  for (const d of details) {
+    if (d.decision === "allow") continue;
+    if (d.matchedRule === "alwaysDeny" || d.matchedRule === "default") {
+      if (!alwaysAllowCmds.includes(d.command)) {
+        alwaysAllowCmds.push(d.command);
+      }
+    } else if (d.matchedRule?.endsWith(":default") || d.matchedRule?.endsWith(":argPattern")) {
+      if (!ruleCmds.includes(d.command)) {
+        ruleCmds.push(d.command);
+      }
+    }
   }
-  if (override.defaultDecision) {
-    base.defaultDecision = override.defaultDecision;
+  if (alwaysAllowCmds.length > 0) {
+    lines.push("alwaysAllow:");
+    for (const cmd of alwaysAllowCmds) {
+      lines.push(`  - "${cmd}"`);
+    }
   }
-  if (override.askOnSubshell !== void 0) {
-    base.askOnSubshell = override.askOnSubshell;
+  if (ruleCmds.length > 0) {
+    lines.push("rules:");
+    for (const cmd of ruleCmds) {
+      lines.push(`  - command: "${cmd}"`);
+      lines.push("    default: allow");
+    }
   }
-  if (override.rules) {
-    for (const userRule of override.rules) {
-      const idx = base.rules.findIndex((r) => r.command === userRule.command);
-      if (idx >= 0) {
-        base.rules[idx] = userRule;
-      } else {
-        base.rules.push(userRule);
-      }
+  return lines.join("\n");
+}
+function formatSystemMessage(decision, rawCommand, details) {
+  const header = decision === "deny" ? "[warden] Command blocked" : "[warden] Command flagged for review";
+  const lines = [header, ""];
+  const relevant = details.filter((d) => d.decision !== "allow");
+  if (relevant.length > 0) {
+    for (const d of relevant) {
+      lines.push(`- \`${d.command}\`: ${d.reason}`);
     }
+    lines.push("");
+  }
+  const snippet = generateAllowSnippet(details);
+  if (snippet) {
+    lines.push("To allow this in the future, add to your warden config:");
+    lines.push("");
+    lines.push("```yaml");
+    lines.push(snippet);
+    lines.push("```");
+    lines.push("");
+    lines.push("Config locations:");
+    lines.push("- User-level (all projects): `~/.claude/warden.yaml`");
+    lines.push("- Project-level (this project): `.claude/warden.yaml`");
+    lines.push("");
+    lines.push("Project config takes priority over user config.");
   }
+  return lines.join("\n");
 }
 
 // src/index.ts
@@ -19174,21 +19279,27 @@ async function main() {
   const parsed = parseCommand(command);
   const result = evaluate(parsed, config);
   if (result.decision === "allow") {
-    const output = {
+    const output2 = {
       hookSpecificOutput: {
         hookEventName: "PreToolUse",
         permissionDecision: "allow",
         permissionDecisionReason: `[warden] ${result.reason}`
       }
     };
-    process.stdout.write(JSON.stringify(output));
+    process.stdout.write(JSON.stringify(output2));
     process.exit(0);
   }
   if (result.decision === "deny") {
+    const msg2 = formatSystemMessage("deny", command, result.details);
+    const output2 = { systemMessage: msg2 };
+    process.stdout.write(JSON.stringify(output2));
     process.stderr.write(`[warden] Blocked: ${result.reason}
 `);
     process.exit(2);
   }
+  const msg = formatSystemMessage("ask", command, result.details);
+  const output = { systemMessage: msg };
+  process.stdout.write(JSON.stringify(output));
   process.exit(0);
 }
 main().catch(() => process.exit(0));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-warden",
-  "version": "1.0.2",
+  "version": "1.1.0",
   "description": "Smart command safety filter for Claude Code — auto-approves safe commands, blocks dangerous ones",
   "type": "module",
   "main": "dist/index.cjs",