claude-warden 1.2.1 → 1.4.0

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-warden",
-  "version": "1.2.1",
+  "version": "1.4.0",
   "description": "Smart command safety filter for Claude Code — parses shell pipelines and evaluates per-command safety rules to auto-approve safe commands and block dangerous ones",
   "author": {
     "name": "banyudu"

package/README.md

@@ -127,14 +127,14 @@ rules:
         description: Read-only docker commands
 ```
 
-## Feedback and `/warden-allow`
+## Feedback and `/claude-warden:warden-allow`
 
 When Warden blocks or flags a command, it includes a system message explaining:
 
 1. **Why** the command was blocked/flagged (per-command reasons)
 2. **How to allow it** — a ready-to-use YAML snippet for your config
 
-Use the `/warden-allow` slash command to apply the suggested config change. It will ask which scope (project or user) to use.
+Use the `/claude-warden:warden-allow` slash command to apply the suggested config change. It will ask which scope (project or user) to use.
 
 ## Built-in defaults
 

package/config/warden.default.yaml

@@ -27,29 +27,45 @@ askOnSubshell: true
 # Trusted SSH hosts — ssh/scp/rsync to these hosts are auto-allowed.
 # Remote commands on trusted hosts are recursively evaluated through warden rules.
 # Supports glob patterns (* wildcards).
+# Entries can be strings (use global overrides) or objects with per-target settings.
 # trustedSSHHosts:
-#   - devserver
+#   - devserver                          # string → uses global overrides only
 #   - staging-*
 #   - "*.internal.company.com"
-#   - 192.168.1.*
+#   - name: prod-bastion                 # object with per-target overrides
+#     overrides:
+#       alwaysAllow: [systemctl]
 
 # Trusted Docker containers — docker exec to these containers are auto-allowed.
 # Remote commands are recursively evaluated through warden rules.
 # trustedDockerContainers:
-#   - my-app
-#   - dev-*
+#   - my-app                             # string → uses global overrides only
+#   - name: dev-container                # object with allowAll (skip all checks)
+#     allowAll: true
+#   - name: staging-*                    # object with per-target overrides
+#     overrides:
+#       alwaysAllow: [sudo, apt]
 
 # Trusted kubectl contexts — kubectl exec in these contexts are auto-allowed.
 # Remote commands (after --) are recursively evaluated through warden rules.
 # trustedKubectlContexts:
 #   - minikube
-#   - dev-cluster-*
+#   - name: dev-cluster-*
+#     overrides:
+#       alwaysAllow: [sudo]
+#   - name: prod-cluster
+#     overrides:
+#       alwaysDeny: [rm]
 
 # Trusted Sprites — sprite exec/console to these sprites are auto-allowed.
 # Remote commands are recursively evaluated through warden rules.
 # trustedSprites:
-#   - my-sprite
-#   - dev-*
+#   - my-sprite                          # string → uses global overrides only
+#   - name: yudu-claw                    # allowAll: skip all checks (disposable env)
+#     allowAll: true
+#   - name: dev-*                        # per-target overrides
+#     overrides:
+#       alwaysAllow: [sudo, apt]
 
 # Override rules when evaluating commands inside trusted remote contexts
 # (docker exec, kubectl exec, ssh, sprite exec). These overrides are applied

package/dist/index.cjs

@@ -18515,8 +18515,8 @@ function globToRegex(pattern) {
   }
   return new RegExp(`^${regex}$`);
 }
-function matchesPattern(value, patterns) {
-  return patterns.some((p) => globToRegex(p).test(value));
+function findMatchingTarget(value, targets) {
+  return targets.find((t) => globToRegex(t.name).test(value)) || null;
 }
 function parseSSHArgs(args2) {
   let host = null;
@@ -18560,19 +18560,21 @@ function evaluateSSHCommand(cmd, config) {
   const trustedHosts = config.trustedSSHHosts || [];
   if (command === "scp" || command === "rsync") {
     const host2 = extractHostFromRemotePath(args2);
-    if (host2 && matchesPattern(host2, trustedHosts)) {
-      return {
-        command,
-        args: args2,
-        decision: "allow",
-        reason: `Trusted SSH host "${host2}"`,
-        matchedRule: "trustedSSHHosts"
-      };
-    }
-    return null;
+    if (!host2) return null;
+    const target2 = findMatchingTarget(host2, trustedHosts);
+    if (!target2) return null;
+    return {
+      command,
+      args: args2,
+      decision: "allow",
+      reason: `Trusted SSH host "${host2}"`,
+      matchedRule: "trustedSSHHosts"
+    };
   }
   const { host, remoteCommand } = parseSSHArgs(args2);
-  if (!host || !matchesPattern(host, trustedHosts)) return null;
+  if (!host) return null;
+  const target = findMatchingTarget(host, trustedHosts);
+  if (!target) return null;
   if (!remoteCommand) {
     return {
       command,
@@ -18582,8 +18584,17 @@ function evaluateSSHCommand(cmd, config) {
       matchedRule: "trustedSSHHosts"
     };
   }
+  if (target.allowAll) {
+    return {
+      command,
+      args: args2,
+      decision: "allow",
+      reason: `Trusted SSH host "${host}" (allowAll)`,
+      matchedRule: "trustedSSHHosts"
+    };
+  }
   const parsed = parseCommand(remoteCommand);
-  const result = evaluate(parsed, configWithContextOverrides(config));
+  const result = evaluate(parsed, configWithContextOverrides(config, target));
   return {
     command,
     args: args2,
@@ -18603,15 +18614,21 @@ var DOCKER_EXEC_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
   "--detach-keys"
 ]);
 var INTERACTIVE_SHELLS = /* @__PURE__ */ new Set(["bash", "sh", "zsh"]);
-function configWithContextOverrides(config) {
-  if (!config.trustedContextOverrides) return config;
+function configWithContextOverrides(config, target) {
+  const overrideLayers = [];
+  if (target?.overrides) overrideLayers.push(target.overrides);
+  if (config.trustedContextOverrides) overrideLayers.push(config.trustedContextOverrides);
+  if (overrideLayers.length === 0) return config;
   return {
     ...config,
-    layers: [config.trustedContextOverrides, ...config.layers]
+    layers: [...overrideLayers, ...config.layers]
   };
 }
-function evaluateRemoteCommand(remoteArgs, config) {
-  const overriddenConfig = configWithContextOverrides(config);
+function evaluateRemoteCommand(remoteArgs, config, target) {
+  if (target?.allowAll) {
+    return { decision: "allow", reason: "allowAll target", details: [] };
+  }
+  const overriddenConfig = configWithContextOverrides(config, target);
   if (remoteArgs.length === 0) {
     return { decision: "allow", reason: "interactive", details: [] };
   }
@@ -18625,9 +18642,10 @@ function evaluateRemoteCommand(remoteArgs, config) {
     return evaluate(parsed2, overriddenConfig);
   }
   const parsed = {
-    commands: [{ command: remoteCmd, args: remoteArgs.slice(1) }],
+    commands: [{ command: remoteCmd, args: remoteArgs.slice(1), envPrefixes: [], raw: remoteArgs.join(" ") }],
     hasSubshell: false,
-    subshellCommands: []
+    subshellCommands: [],
+    parseError: false
   };
   return evaluate(parsed, overriddenConfig);
 }
@@ -18661,14 +18679,16 @@ function parseDockerExecArgs(args2) {
 function evaluateDockerExec(cmd, config) {
   const { command, args: args2 } = cmd;
   if (args2[0] !== "exec") return null;
-  const { target, remoteArgs } = parseDockerExecArgs(args2.slice(1));
-  if (!target || !matchesPattern(target, config.trustedDockerContainers || [])) return null;
-  const result = evaluateRemoteCommand(remoteArgs, config);
+  const { target: containerName, remoteArgs } = parseDockerExecArgs(args2.slice(1));
+  if (!containerName) return null;
+  const matched = findMatchingTarget(containerName, config.trustedDockerContainers || []);
+  if (!matched) return null;
+  const result = evaluateRemoteCommand(remoteArgs, config, matched);
   return {
     command,
     args: args2,
     decision: result.decision,
-    reason: `Trusted Docker container "${target}" (${result.reason})`,
+    reason: `Trusted Docker container "${containerName}" (${result.reason})`,
     matchedRule: "trustedDockerContainers"
   };
 }
@@ -18740,9 +18760,10 @@ function evaluateKubectlExec(cmd, config) {
   const { command, args: args2 } = cmd;
   if (args2[0] !== "exec") return null;
   const { context, pod, remoteArgs } = parseKubectlExecArgs(args2.slice(1));
-  const trustedContexts = config.trustedKubectlContexts || [];
-  if (!context || !matchesPattern(context, trustedContexts)) return null;
-  const result = evaluateRemoteCommand(remoteArgs, config);
+  if (!context) return null;
+  const matched = findMatchingTarget(context, config.trustedKubectlContexts || []);
+  if (!matched) return null;
+  const result = evaluateRemoteCommand(remoteArgs, config, matched);
   return {
     command,
     args: args2,
@@ -18805,9 +18826,10 @@ function parseSpriteExecArgs(args2) {
 function evaluateSpriteExec(cmd, config) {
   const { command, args: args2 } = cmd;
   const { spriteName, remoteArgs } = parseSpriteExecArgs(args2);
-  const trustedSprites = config.trustedSprites || [];
-  if (!spriteName || !matchesPattern(spriteName, trustedSprites)) return null;
-  const result = evaluateRemoteCommand(remoteArgs, config);
+  if (!spriteName) return null;
+  const matched = findMatchingTarget(spriteName, config.trustedSprites || []);
+  if (!matched) return null;
+  const result = evaluateRemoteCommand(remoteArgs, config, matched);
   return {
     command,
     args: args2,
@@ -19058,6 +19080,19 @@ var DEFAULT_CONFIG = {
       "yq",
       "xargs",
       "seq",
+      // Network diagnostics (read-only)
+      "nslookup",
+      "dig",
+      "host",
+      "ping",
+      "traceroute",
+      "mtr",
+      "netstat",
+      "ss",
+      "ifconfig",
+      "ip",
+      "nmap",
+      "arp",
       // Pagers and formatters
       "bat",
       "pygmentize",
@@ -19072,6 +19107,74 @@ var DEFAULT_CONFIG = {
       "tput",
       "reset",
       "clear",
+      // System/hardware info
+      "lscpu",
+      "lsblk",
+      "lsusb",
+      "lspci",
+      "lsmod",
+      "dmesg",
+      "sysctl",
+      "sw_vers",
+      "system_profiler",
+      "hostinfo",
+      "lsb_release",
+      "hostnamectl",
+      "arch",
+      "getconf",
+      // User/group info
+      "groups",
+      "getent",
+      "w",
+      "last",
+      "lastlog",
+      "finger",
+      "users",
+      // Process info
+      "pgrep",
+      "pidof",
+      "jobs",
+      // Compression/archive
+      "tar",
+      "gzip",
+      "gunzip",
+      "bzip2",
+      "bunzip2",
+      "xz",
+      "unxz",
+      "zip",
+      "unzip",
+      "7z",
+      "zcat",
+      "bzcat",
+      "xzcat",
+      "zless",
+      "zmore",
+      "zgrep",
+      // Clipboard
+      "pbcopy",
+      "pbpaste",
+      "xclip",
+      "xsel",
+      "wl-copy",
+      "wl-paste",
+      // Binary analysis
+      "strings",
+      "nm",
+      "objdump",
+      "readelf",
+      "ldd",
+      "otool",
+      "size",
+      // macOS utilities (read-only)
+      "mdfind",
+      "mdls",
+      "mdutil",
+      "plutil",
+      "sips",
+      "xcode-select",
+      "xcrun",
+      "xcodebuild",
       // Misc safe
       "cd",
       "pushd",
@@ -19089,7 +19192,18 @@ var DEFAULT_CONFIG = {
       "shasum",
       "cksum",
       "base64",
-      "openssl"
+      "openssl",
+      "watch",
+      "timeout",
+      "nohup",
+      "nice",
+      "iconv",
+      "locale",
+      "localedef",
+      "numfmt",
+      "factor",
+      "bc",
+      "dc"
     ],
     alwaysDeny: [
       "sudo",
@@ -19113,7 +19227,9 @@ var DEFAULT_CONFIG = {
       "crontab",
       "systemctl",
       "service",
-      "launchctl"
+      "launchctl",
+      "wipefs",
+      "shred"
     ],
     rules: [
       // --- CLI tools ---
@@ -19228,7 +19344,15 @@ var DEFAULT_CONFIG = {
         ]
       },
       { command: "docker-compose", default: "ask" },
-      { command: "kubectl", default: "ask" },
+      {
+        command: "kubectl",
+        default: "ask",
+        argPatterns: [
+          { match: { anyArgMatches: ["^(get|describe|logs|top|explain|api-resources|api-versions|version|config|cluster-info)$"] }, decision: "allow", description: "Read-only kubectl commands" },
+          { match: { anyArgMatches: ["^(delete|drain|cordon|taint)$"] }, decision: "ask", reason: "Destructive kubectl operation" },
+          VERSION_HELP_FLAGS
+        ]
+      },
       // --- File operations ---
       {
         command: "rm",
@@ -19268,7 +19392,92 @@ var DEFAULT_CONFIG = {
       // --- Terraform / IaC ---
       { command: "terraform", default: "ask", argPatterns: [
         { match: { anyArgMatches: ["^(plan|validate|fmt|show|state|output|providers|version|graph|console)$"] }, decision: "allow", description: "Read-only terraform commands" }
-      ] }
+      ] },
+      // --- macOS open ---
+      { command: "open", default: "ask" },
+      // --- Text editors ---
+      ...["vi", "vim", "nvim", "nano", "emacs"].map((cmd) => ({
+        command: cmd,
+        default: "ask",
+        argPatterns: [VERSION_HELP_FLAGS]
+      })),
+      // --- Scripting languages ---
+      ...["ruby", "perl", "php"].map((cmd) => ({
+        command: cmd,
+        default: "ask",
+        argPatterns: [
+          { match: { anyArgMatches: ["^-e$", "^--eval"] }, decision: "ask", reason: "Inline code execution" },
+          VERSION_HELP_FLAGS
+        ]
+      })),
+      // --- Java ecosystem ---
+      { command: "java", default: "ask", argPatterns: [VERSION_HELP_FLAGS] },
+      { command: "javac", default: "allow" },
+      // --- Swift / Zig / Dotnet ---
+      { command: "swift", default: "allow", argPatterns: [
+        { match: { anyArgMatches: ["^(build|test|run|package)$"] }, decision: "allow" }
+      ] },
+      { command: "swiftc", default: "allow" },
+      { command: "zig", default: "allow" },
+      { command: "dotnet", default: "allow", argPatterns: [
+        { match: { anyArgMatches: ["^(publish|nuget)$"] }, decision: "ask", reason: "Publishing" }
+      ] },
+      // --- Database CLIs ---
+      ...["psql", "mysql", "mariadb", "sqlite3", "redis-cli", "mongosh"].map((cmd) => ({
+        command: cmd,
+        default: "ask",
+        argPatterns: [VERSION_HELP_FLAGS]
+      })),
+      // --- Cloud CLIs ---
+      { command: "gcloud", default: "ask", argPatterns: [
+        { match: { anyArgMatches: ["^(info|version|help|config|components)$"] }, decision: "allow", description: "Config/info" },
+        { match: { anyArgMatches: ["^(list|describe|get-iam-policy|get)$"] }, decision: "allow", description: "Read-only ops" },
+        VERSION_HELP_FLAGS
+      ] },
+      { command: "az", default: "ask", argPatterns: [
+        { match: { anyArgMatches: ["^(list|show|get)$"] }, decision: "allow", description: "Read-only ops" },
+        VERSION_HELP_FLAGS
+      ] },
+      { command: "aws", default: "ask", argPatterns: [
+        { match: { anyArgMatches: ["^(describe|list|get|sts)$"] }, decision: "allow", description: "Read-only ops" },
+        VERSION_HELP_FLAGS
+      ] },
+      // --- Helm ---
+      { command: "helm", default: "ask", argPatterns: [
+        { match: { anyArgMatches: ["^(list|search|show|status|get|template|version|env|history)$"] }, decision: "allow", description: "Read-only helm commands" },
+        VERSION_HELP_FLAGS
+      ] },
+      // --- Screen/tmux ---
+      ...["screen", "tmux"].map((cmd) => ({
+        command: cmd,
+        default: "ask",
+        argPatterns: [
+          { match: { anyArgMatches: ["^(list-sessions|ls|list)$"] }, decision: "allow", description: "List sessions" },
+          VERSION_HELP_FLAGS
+        ]
+      })),
+      // --- GPG ---
+      { command: "gpg", default: "ask", argPatterns: [
+        { match: { anyArgMatches: ["^(--verify|--list-keys|--list-secret-keys|--fingerprint)$"] }, decision: "allow", description: "Read-only gpg" },
+        VERSION_HELP_FLAGS
+      ] },
+      // --- macOS-specific ---
+      { command: "defaults", default: "ask", argPatterns: [
+        { match: { anyArgMatches: ["^(read|read-type|find|domains)$"] }, decision: "allow", description: "Read-only defaults operations" }
+      ] },
+      { command: "diskutil", default: "ask", argPatterns: [
+        { match: { anyArgMatches: ["^(list|info|apfs|cs|appleRAID)$"] }, decision: "allow", description: "Read-only diskutil" }
+      ] },
+      { command: "codesign", default: "ask", argPatterns: [
+        { match: { anyArgMatches: ["^(-vv|--verify|--display|-d)$"] }, decision: "allow", description: "Verify codesign" }
+      ] },
+      { command: "osascript", default: "ask" },
+      { command: "say", default: "ask" },
+      // --- Process management ---
+      { command: "kill", default: "ask" },
+      { command: "killall", default: "ask" },
+      { command: "pkill", default: "ask" },
+      { command: "renice", default: "ask" }
     ]
   }]
 };
@@ -19335,18 +19544,33 @@ function extractLayer(raw) {
     rules: Array.isArray(raw.rules) ? raw.rules : []
   };
 }
+function parseTrustedList(raw) {
+  return raw.map((entry) => {
+    if (typeof entry === "string") return { name: entry };
+    if (entry && typeof entry === "object" && "name" in entry) {
+      const obj = entry;
+      const target = { name: String(obj.name) };
+      if (obj.allowAll === true) target.allowAll = true;
+      if (obj.overrides && typeof obj.overrides === "object") {
+        target.overrides = extractLayer(obj.overrides);
+      }
+      return target;
+    }
+    return null;
+  }).filter((t) => t !== null);
+}
 function mergeNonLayerFields(config, raw) {
   if (Array.isArray(raw.trustedSSHHosts)) {
-    config.trustedSSHHosts = [...config.trustedSSHHosts || [], ...raw.trustedSSHHosts];
+    config.trustedSSHHosts = [...config.trustedSSHHosts || [], ...parseTrustedList(raw.trustedSSHHosts)];
   }
   if (Array.isArray(raw.trustedDockerContainers)) {
-    config.trustedDockerContainers = [...config.trustedDockerContainers || [], ...raw.trustedDockerContainers];
+    config.trustedDockerContainers = [...config.trustedDockerContainers || [], ...parseTrustedList(raw.trustedDockerContainers)];
   }
   if (Array.isArray(raw.trustedKubectlContexts)) {
-    config.trustedKubectlContexts = [...config.trustedKubectlContexts || [], ...raw.trustedKubectlContexts];
+    config.trustedKubectlContexts = [...config.trustedKubectlContexts || [], ...parseTrustedList(raw.trustedKubectlContexts)];
   }
   if (Array.isArray(raw.trustedSprites)) {
-    config.trustedSprites = [...config.trustedSprites || [], ...raw.trustedSprites];
+    config.trustedSprites = [...config.trustedSprites || [], ...parseTrustedList(raw.trustedSprites)];
   }
   if (typeof raw.defaultDecision === "string") {
     config.defaultDecision = raw.defaultDecision;
@@ -19408,15 +19632,15 @@ function formatSystemMessage(decision, rawCommand, details) {
     const header = `[warden] ${parts.join(" | ")}`;
     const subcommandHints = relevant.filter((d) => d.args.length > 0).map((d) => {
       const sub = d.args[0];
-      return `  Option A: Allow all \`${d.command}\` \u2192 \`/warden-allow ${d.command}\`
-  Option B: Allow only \`${d.command} ${sub}\` \u2192 \`/warden-allow ${d.command} ${sub}\``;
+      return `  Option A: Allow all \`${d.command}\` \u2192 \`/claude-warden:warden-allow ${d.command}\`
+  Option B: Allow only \`${d.command} ${sub}\` \u2192 \`/claude-warden:warden-allow ${d.command} ${sub}\``;
     });
     if (subcommandHints.length > 0) {
       return `${header}
 ${subcommandHints.join("\n")}
-See /warden-allow`;
+See /claude-warden:warden-allow`;
     }
-    return `${header} \u2014 To auto-allow, see /warden-allow`;
+    return `${header} \u2014 To auto-allow, see /claude-warden:warden-allow`;
   }
   const lines = ["[warden] Command blocked", ""];
   if (relevant.length > 0) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-warden",
-  "version": "1.2.1",
+  "version": "1.4.0",
   "description": "Smart command safety filter for Claude Code — auto-approves safe commands, blocks dangerous ones",
   "type": "module",
   "main": "dist/index.cjs",