npm - claude-warden - Versions diffs - 1.1.9 → 1.1.11 - Mend

claude-warden 1.1.9 → 1.1.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/.claude-plugin/plugin.json +1 -1
package/README.md +29 -0
package/dist/index.cjs +46 -49
package/package.json +4 -1

package/.claude-plugin/plugin.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "claude-warden",
-  "version": "1.1.9",
+  "version": "1.1.11",
   "description": "Smart command safety filter for Claude Code — parses shell pipelines and evaluates per-command safety rules to auto-approve safe commands and block dangerous ones",
   "author": {
     "name": "banyudu"

package/README.md CHANGED Viewed

@@ -168,6 +168,35 @@ All support glob patterns: `*`, `?`, `[...]`, `[!...]`, `{a,b,c}`
 5. Results are combined: any deny → deny whole pipeline, any ask → ask, all allow → allow
 6. Returns the decision via stdout JSON (allow/ask) or exit code 2 (deny), with a system message explaining the reasoning for deny/ask decisions
+## FAQ
+### Warden says "All commands are safe" but I still get a permission prompt
+This usually means **another plugin's hook** is overriding Warden's decision. When multiple PreToolUse hooks run, Claude Code uses "most restrictive wins" — if any hook returns `ask`, it overrides another hook's `allow`.
+**Common culprit:** The `github-dev` plugin ships a `git_commit_confirm.py` hook that returns `permissionDecision: "ask"` for every `git commit` command, regardless of what Warden decides. You'll see something like:
+```
+Hook PreToolUse:Bash requires confirmation for this command:
+[warden] All commands are safe
+```
+Warden evaluated the command as safe, but the other hook forced a confirmation prompt.
+**How to fix:** Uninstall or disable the conflicting plugin. For example:
+```
+/plugin uninstall github-dev
+```
+**How to diagnose:** If you see Warden's `[warden] All commands are safe` message alongside a permission prompt, another hook is the cause. Check your installed plugins for PreToolUse hooks:
+```
+/plugin list
+```
+Then inspect each plugin's `hooks/hooks.json` for PreToolUse entries targeting `Bash`.
 ## Development
 ```bash

package/dist/index.cjs CHANGED Viewed

@@ -18602,6 +18602,27 @@ var DOCKER_EXEC_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
   "--workdir",
   "--detach-keys"
 ]);
+var INTERACTIVE_SHELLS = /* @__PURE__ */ new Set(["bash", "sh", "zsh"]);
+function evaluateRemoteCommand(remoteArgs, config) {
+  if (remoteArgs.length === 0) {
+    return { decision: "allow", reason: "interactive", details: [] };
+  }
+  const remoteCmd = remoteArgs[0];
+  if (INTERACTIVE_SHELLS.has(remoteCmd) && remoteArgs.length === 1) {
+    return { decision: "allow", reason: "interactive shell", details: [] };
+  }
+  if (INTERACTIVE_SHELLS.has(remoteCmd) && remoteArgs[1] === "-c" && remoteArgs.length >= 3) {
+    const innerCommand = remoteArgs.slice(2).join(" ");
+    const parsed2 = parseCommand(innerCommand);
+    return evaluate(parsed2, config);
+  }
+  const parsed = {
+    commands: [{ command: remoteCmd, args: remoteArgs.slice(1) }],
+    hasSubshell: false,
+    subshellCommands: []
+  };
+  return evaluate(parsed, config);
+}
 function parseDockerExecArgs(args2) {
   let target = null;
   const remoteArgs = [];
@@ -18627,29 +18648,19 @@ function parseDockerExecArgs(args2) {
     }
     i++;
   }
-  return { target, remoteCommand: remoteArgs.length > 0 ? remoteArgs.join(" ") : null };
+  return { target, remoteArgs };
 }
 function evaluateDockerExec(cmd, config) {
   const { command, args: args2 } = cmd;
   if (args2[0] !== "exec") return null;
-  const { target, remoteCommand } = parseDockerExecArgs(args2.slice(1));
+  const { target, remoteArgs } = parseDockerExecArgs(args2.slice(1));
   if (!target || !matchesPattern(target, config.trustedDockerContainers || [])) return null;
-  if (!remoteCommand) {
-    return {
-      command,
-      args: args2,
-      decision: "allow",
-      reason: `Trusted Docker container "${target}" (interactive)`,
-      matchedRule: "trustedDockerContainers"
-    };
-  }
-  const parsed = parseCommand(remoteCommand);
-  const result = evaluate(parsed, config);
+  const result = evaluateRemoteCommand(remoteArgs, config);
   return {
     command,
     args: args2,
     decision: result.decision,
-    reason: `Trusted Docker container "${target}": ${result.reason}`,
+    reason: `Trusted Docker container "${target}" (${result.reason})`,
     matchedRule: "trustedDockerContainers"
   };
 }
@@ -18684,11 +18695,9 @@ function parseKubectlExecArgs(args2) {
   let pod = null;
   const remoteArgs = [];
   let i = 0;
-  let pastSeparator = false;
   while (i < args2.length) {
     const arg = args2[i];
     if (arg === "--") {
-      pastSeparator = true;
       i++;
       while (i < args2.length) {
         remoteArgs.push(args2[i]);
@@ -18717,30 +18726,20 @@ function parseKubectlExecArgs(args2) {
     }
     i++;
   }
-  return { context, pod, remoteCommand: remoteArgs.length > 0 ? remoteArgs.join(" ") : null };
+  return { context, pod, remoteArgs };
 }
 function evaluateKubectlExec(cmd, config) {
   const { command, args: args2 } = cmd;
   if (args2[0] !== "exec") return null;
-  const { context, pod, remoteCommand } = parseKubectlExecArgs(args2.slice(1));
+  const { context, pod, remoteArgs } = parseKubectlExecArgs(args2.slice(1));
   const trustedContexts = config.trustedKubectlContexts || [];
   if (!context || !matchesPattern(context, trustedContexts)) return null;
-  if (!remoteCommand) {
-    return {
-      command,
-      args: args2,
-      decision: "allow",
-      reason: `Trusted kubectl context "${context}"${pod ? `, pod "${pod}"` : ""} (interactive)`,
-      matchedRule: "trustedKubectlContexts"
-    };
-  }
-  const parsed = parseCommand(remoteCommand);
-  const result = evaluate(parsed, config);
+  const result = evaluateRemoteCommand(remoteArgs, config);
   return {
     command,
     args: args2,
     decision: result.decision,
-    reason: `Trusted kubectl context "${context}": ${result.reason}`,
+    reason: `Trusted kubectl context "${context}"${pod ? `, pod "${pod}"` : ""} (${result.reason})`,
     matchedRule: "trustedKubectlContexts"
   };
 }
@@ -18785,7 +18784,7 @@ function parseSpriteExecArgs(args2) {
         i++;
         continue;
       }
-      return { spriteName: null, remoteCommand: null };
+      return { spriteName: null, remoteArgs: [] };
     }
     while (i < args2.length) {
       remoteArgs.push(args2[i]);
@@ -18793,32 +18792,19 @@ function parseSpriteExecArgs(args2) {
     }
     break;
   }
-  return {
-    spriteName,
-    remoteCommand: remoteArgs.length > 0 ? remoteArgs.join(" ") : null
-  };
+  return { spriteName, remoteArgs };
 }
 function evaluateSpriteExec(cmd, config) {
   const { command, args: args2 } = cmd;
-  const { spriteName, remoteCommand } = parseSpriteExecArgs(args2);
+  const { spriteName, remoteArgs } = parseSpriteExecArgs(args2);
   const trustedSprites = config.trustedSprites || [];
   if (!spriteName || !matchesPattern(spriteName, trustedSprites)) return null;
-  if (!remoteCommand) {
-    return {
-      command,
-      args: args2,
-      decision: "allow",
-      reason: `Trusted sprite "${spriteName}" (interactive)`,
-      matchedRule: "trustedSprites"
-    };
-  }
-  const parsed = parseCommand(remoteCommand);
-  const result = evaluate(parsed, config);
+  const result = evaluateRemoteCommand(remoteArgs, config);
   return {
     command,
     args: args2,
     decision: result.decision,
-    reason: `Trusted sprite "${spriteName}": ${result.reason}`,
+    reason: `Trusted sprite "${spriteName}" (${result.reason})`,
     matchedRule: "trustedSprites"
   };
 }
@@ -19397,7 +19383,18 @@ function formatSystemMessage(decision, rawCommand, details) {
   const relevant = details.filter((d) => d.decision !== "allow");
   if (decision === "ask") {
     const parts = relevant.map((d) => `\`${d.command}\`: ${d.reason}`);
-    return `[warden] ${parts.join(" | ")} \u2014 To auto-allow, see /warden-allow`;
+    const header = `[warden] ${parts.join(" | ")}`;
+    const subcommandHints = relevant.filter((d) => d.args.length > 0).map((d) => {
+      const sub = d.args[0];
+      return `  Option A: Allow all \`${d.command}\` \u2192 \`/warden-allow ${d.command}\`
+  Option B: Allow only \`${d.command} ${sub}\` \u2192 \`/warden-allow ${d.command} ${sub}\``;
+    });
+    if (subcommandHints.length > 0) {
+      return `${header}
+${subcommandHints.join("\n")}
+See /warden-allow`;
+    }
+    return `${header} \u2014 To auto-allow, see /warden-allow`;
   }
   const lines = ["[warden] Command blocked", ""];
   if (relevant.length > 0) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "claude-warden",
-  "version": "1.1.9",
+  "version": "1.1.11",
   "description": "Smart command safety filter for Claude Code — auto-approves safe commands, blocks dangerous ones",
   "type": "module",
   "main": "dist/index.cjs",
@@ -44,6 +44,9 @@
     "typecheck": "tsc --noEmit",
     "eval": "node dist/index.cjs",
     "sync-plugin-version": "node -e \"const p=require('./package.json'),fs=require('fs'),f='.claude-plugin/plugin.json',j=JSON.parse(fs.readFileSync(f));j.version=p.version;fs.writeFileSync(f,JSON.stringify(j,null,2)+'\\n')\"",
+    "release": "scripts/release.sh patch",
+    "release:minor": "scripts/release.sh minor",
+    "release:major": "scripts/release.sh major",
     "docs:dev": "cd docs-src && pnpm dev",
     "docs:build": "cd docs-src && pnpm install && pnpm build"
   }