claude-warden 1.8.2 → 1.10.0

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-warden",
-  "version": "1.8.2",
+  "version": "1.10.0",
   "description": "Smart command safety filter for Claude Code — parses shell pipelines and evaluates per-command safety rules to auto-approve safe commands and block dangerous ones",
   "author": {
     "name": "banyudu"

package/README.md

@@ -133,6 +133,29 @@ rules:
         description: Read-only docker commands
 ```
 
+## YOLO mode
+
+Need to temporarily bypass all permission prompts? YOLO mode auto-allows all commands for a limited time or the full session — while still blocking always-deny commands (like `sudo`, `shutdown`) for safety.
+
+### Activate via slash command
+
+```
+/claude-warden:yolo session    # Full session, no expiry
+/claude-warden:yolo 5m         # 5 minutes
+/claude-warden:yolo 15m        # 15 minutes
+/claude-warden:yolo off        # Turn off immediately
+```
+
+Running `/claude-warden:yolo` with no arguments shows a menu of duration options.
+
+### How it works
+
+YOLO mode is **session-scoped** — it only affects the current Claude Code session. The hook intercepts special activation commands and stores state in a temp file keyed by session ID. When a command is evaluated during YOLO mode, the hook skips normal rule evaluation and auto-allows (except always-deny commands). Expired YOLO states are cleaned up automatically.
+
+### Discovery
+
+When Warden prompts you for permission (`ask` decision), the system message includes a tip about YOLO mode so you can discover it when you need it most.
+
 ## Feedback and `/claude-warden:warden-allow`
 
 When Warden blocks or flags a command, it includes a system message explaining:

package/config/warden.default.yaml

@@ -86,9 +86,36 @@ notifyOnDeny: true
 
 # Command-specific rules (override built-in rules by command name).
 # The first scope (project > user > default) with a rule for a given command wins.
+#
+# IMPORTANT: Rules are matched by the command being executed, not by arguments.
+# For example, when Claude runs `python -c "import foo"`, warden looks up rules
+# for command: "python" — NOT "bash" or "sh". A common mistake is writing rules
+# for "bash" with argPatterns matching "python"; this won't work because warden
+# sees the command as "python".
+#
 # rules:
+#   # Allow all python commands
+#   - command: python
+#     default: allow
+#
+#   # Allow python -c but ask for other python usage
+#   - command: python
+#     default: ask
+#     argPatterns:
+#       - match:
+#           anyArgMatches: ['^-c$']
+#         decision: allow
+#         description: Allow python -c inline scripts
+#
+#   # Allow all node.js execution
+#   - command: node
+#     default: allow
+#
+#   # Trust all npx in this project
 #   - command: npx
-#     default: allow          # Trust all npx in this project
+#     default: allow
+#
+#   # Docker with selective allow
 #   - command: docker
 #     default: ask
 #     argPatterns:

package/dist/index.cjs

@@ -18551,6 +18551,9 @@ function evaluateCommand(cmd, config, depth = 0) {
   if (command === "xargs") {
     return evaluateXargsCommand(cmd, config, depth);
   }
+  if (command === "find") {
+    return evaluateFindCommand(cmd, config, depth);
+  }
   const mergedRule = collectMergedRule(cmd, config);
   if (mergedRule) {
     return evaluateRule(cmd, mergedRule);
@@ -18738,6 +18741,64 @@ function evaluateXargsCommand(cmd, config, depth = 0) {
     matchedRule: "xargs:subcommand"
   };
 }
+function parseFindExecCommands(args2) {
+  const commands = [];
+  let i = 0;
+  while (i < args2.length) {
+    if (args2[i] === "-exec" || args2[i] === "-execdir") {
+      i++;
+      const cmdArgs = [];
+      while (i < args2.length && args2[i] !== ";" && args2[i] !== "+") {
+        if (args2[i] !== "{}") {
+          cmdArgs.push(args2[i]);
+        }
+        i++;
+      }
+      i++;
+      if (cmdArgs.length > 0) {
+        commands.push({
+          command: cmdArgs[0],
+          originalCommand: cmdArgs[0],
+          args: cmdArgs.slice(1),
+          envPrefixes: [],
+          raw: cmdArgs.join(" ")
+        });
+      }
+    } else {
+      i++;
+    }
+  }
+  return commands;
+}
+function evaluateFindCommand(cmd, config, depth = 0) {
+  const { command, args: args2 } = cmd;
+  if (args2.some((a) => a === "-delete")) {
+    return { command, args: args2, decision: "ask", reason: "find -delete can remove files", matchedRule: "find:delete" };
+  }
+  if (args2.some((a) => a === "-ok" || a === "-okdir")) {
+    return { command, args: args2, decision: "ask", reason: "find -ok/-okdir can execute commands interactively", matchedRule: "find:ok" };
+  }
+  const execCommands = parseFindExecCommands(args2);
+  if (execCommands.length === 0) {
+    return { command, args: args2, decision: "allow", reason: "find without dangerous flags", matchedRule: "find:safe" };
+  }
+  for (const execCmd of execCommands) {
+    const parsed = {
+      commands: [execCmd],
+      hasSubshell: false,
+      subshellCommands: [],
+      parseError: false
+    };
+    const result = evaluate(parsed, config, depth + 1);
+    if (result.decision === "deny") {
+      return { command, args: args2, decision: "deny", reason: `find -exec: ${result.reason}`, matchedRule: "find:exec" };
+    }
+    if (result.decision === "ask") {
+      return { command, args: args2, decision: "ask", reason: `find -exec: ${result.reason}`, matchedRule: "find:exec" };
+    }
+  }
+  return { command, args: args2, decision: "allow", reason: "find -exec commands are safe", matchedRule: "find:exec" };
+}
 var SSH_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
   "-b",
   "-c",
@@ -19687,13 +19748,7 @@ var DEFAULT_CONFIG = {
         ]
       },
       // --- Potentially dangerous text/file tools ---
-      {
-        command: "find",
-        default: "allow",
-        argPatterns: [
-          { match: { anyArgMatches: ["^-exec$", "^-execdir$", "^-delete$", "^-ok$", "^-okdir$"] }, decision: "ask", reason: "find can execute or delete files" }
-        ]
-      },
+      // `find` is handled specially in the evaluator (recursive -exec evaluation)
       {
         command: "sed",
         default: "allow",
@@ -19925,6 +19980,35 @@ function tryLoadFile(filePath) {
   }
   return null;
 }
+var KNOWN_COMMANDS = /* @__PURE__ */ new Set([
+  ...DEFAULT_CONFIG.layers[0].alwaysAllow,
+  ...DEFAULT_CONFIG.layers[0].alwaysDeny,
+  ...DEFAULT_CONFIG.layers[0].rules.map((r) => r.command)
+]);
+function warnArgPatternCommandMismatch(rule) {
+  if (!Array.isArray(rule.argPatterns)) return;
+  for (const pattern of rule.argPatterns) {
+    const matchers = [
+      ...pattern.match?.anyArgMatches || [],
+      ...pattern.match?.argsMatch || []
+    ];
+    for (const m of matchers) {
+      const literals = extractLiteralsFromPattern(m);
+      for (const lit of literals) {
+        if (lit !== rule.command && KNOWN_COMMANDS.has(lit)) {
+          process.stderr.write(
+            `[warden] Warning: rule for "${rule.command}" has argPattern matching "${lit}" \u2014 this won't work as expected. Rules are matched by the command being run, not its arguments. If you want to control "${lit}", add a separate rule with command: "${lit}".
+`
+          );
+        }
+      }
+    }
+  }
+}
+function extractLiteralsFromPattern(pattern) {
+  let cleaned = pattern.replace(/^\^?\(?(.*?)\)?\$?$/, "$1");
+  return cleaned.split("|").map((s) => s.trim()).filter((s) => /^[a-z][a-z0-9_-]*$/i.test(s));
+}
 function extractLayer(raw) {
   const rules = Array.isArray(raw.rules) ? raw.rules : [];
   for (const rule of rules) {
@@ -19943,6 +20027,7 @@ function extractLayer(raw) {
           }
         }
       }
+      warnArgPatternCommandMismatch(rule);
     }
   }
   return {
@@ -20053,12 +20138,15 @@ function formatSystemMessage(decision, rawCommand, details) {
       return `  Option A: Allow all \`${d.command}\` \u2192 \`/claude-warden:warden-allow ${d.command}\`
   Option B: Allow only \`${d.command} ${sub}\` \u2192 \`/claude-warden:warden-allow ${d.command} ${sub}\``;
     });
+    const yoloHint = "Tip: `/claude-warden:yolo` to temporarily allow all commands";
     if (subcommandHints.length > 0) {
       return `${header}
 ${subcommandHints.join("\n")}
-See /claude-warden:warden-allow`;
+See /claude-warden:warden-allow
+${yoloHint}`;
     }
-    return `${header} \u2014 To auto-allow, see /claude-warden:warden-allow`;
+    return `${header} \u2014 To auto-allow, see /claude-warden:warden-allow
+${yoloHint}`;
   }
   const lines = ["[warden] Command blocked", ""];
   if (relevant.length > 0) {
@@ -20140,6 +20228,72 @@ function sendNotification(title, message, config) {
   }
 }
 
+// src/yolo.ts
+var import_fs2 = require("fs");
+var import_os3 = require("os");
+var import_path3 = require("path");
+function yoloFilePath(sessionId) {
+  return (0, import_path3.join)((0, import_os3.tmpdir)(), `claude-warden-yolo-${sessionId}`);
+}
+function getYoloState(sessionId) {
+  const filePath = yoloFilePath(sessionId);
+  if (!(0, import_fs2.existsSync)(filePath)) return null;
+  try {
+    const raw = (0, import_fs2.readFileSync)(filePath, "utf-8");
+    const state = JSON.parse(raw);
+    if (state.expiresAt && new Date(state.expiresAt) <= /* @__PURE__ */ new Date()) {
+      try {
+        (0, import_fs2.unlinkSync)(filePath);
+      } catch {
+      }
+      return null;
+    }
+    return state;
+  } catch {
+    return null;
+  }
+}
+function activateYolo(sessionId, durationMinutes, bypassDeny = false) {
+  const now = /* @__PURE__ */ new Date();
+  const state = {
+    activatedAt: now.toISOString(),
+    expiresAt: durationMinutes ? new Date(now.getTime() + durationMinutes * 6e4).toISOString() : null,
+    bypassDeny
+  };
+  (0, import_fs2.writeFileSync)(yoloFilePath(sessionId), JSON.stringify(state), "utf-8");
+  return state;
+}
+var YOLO_PATTERN = /^echo\s+__WARDEN_YOLO_(ACTIVATE|DEACTIVATE|STATUS)__(?::(\w+))?$/;
+function parseYoloCommand(command) {
+  const match = command.trim().match(YOLO_PATTERN);
+  if (!match) return null;
+  const action = match[1].toLowerCase();
+  const param = match[2] || null;
+  if (action === "activate") {
+    let durationMinutes = null;
+    if (param && param !== "session") {
+      const m = param.match(/^(\d+)m?$/);
+      if (m) {
+        durationMinutes = parseInt(m[1], 10);
+      } else {
+        return null;
+      }
+    }
+    return { action, durationMinutes };
+  }
+  return { action, durationMinutes: null };
+}
+function deactivateYolo(sessionId) {
+  const filePath = yoloFilePath(sessionId);
+  if (!(0, import_fs2.existsSync)(filePath)) return false;
+  try {
+    (0, import_fs2.unlinkSync)(filePath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
 // src/index.ts
 var MAX_STDIN_SIZE = 1024 * 1024;
 async function main() {
@@ -20174,7 +20328,54 @@ async function main() {
   if (!command || typeof command !== "string") {
     process.exit(0);
   }
+  const yoloCmd = parseYoloCommand(command);
+  if (yoloCmd) {
+    let msg2;
+    if (yoloCmd.action === "activate") {
+      const state = activateYolo(input.session_id, yoloCmd.durationMinutes);
+      const expiryInfo = state.expiresAt ? `expires at ${new Date(state.expiresAt).toLocaleTimeString()}` : "full session, no expiry";
+      msg2 = `[warden] YOLO mode activated (${expiryInfo}). Always-deny commands are still blocked. Use \`echo __WARDEN_YOLO_DEACTIVATE__\` to turn off.`;
+    } else if (yoloCmd.action === "deactivate") {
+      deactivateYolo(input.session_id);
+      msg2 = "[warden] YOLO mode deactivated. Normal rule evaluation resumed.";
+    } else {
+      const state = getYoloState(input.session_id);
+      if (state) {
+        const expiryInfo = state.expiresAt ? `expires at ${new Date(state.expiresAt).toLocaleTimeString()}` : "full session";
+        msg2 = `[warden] YOLO mode is active (${expiryInfo})`;
+      } else {
+        msg2 = "[warden] YOLO mode is not active";
+      }
+    }
+    const output2 = {
+      hookSpecificOutput: {
+        hookEventName: "PreToolUse",
+        permissionDecision: "allow",
+        permissionDecisionReason: msg2
+      }
+    };
+    process.stdout.write(JSON.stringify(output2));
+    process.exit(0);
+  }
   const config = loadConfig(input.cwd);
+  const yoloState = getYoloState(input.session_id);
+  if (yoloState) {
+    const parsed2 = parseCommand(command);
+    const result2 = evaluate(parsed2, config);
+    if (result2.decision === "deny" && !yoloState.bypassDeny) {
+    } else {
+      const expiryInfo = yoloState.expiresAt ? `expires ${new Date(yoloState.expiresAt).toLocaleTimeString()}` : "full session";
+      const output2 = {
+        hookSpecificOutput: {
+          hookEventName: "PreToolUse",
+          permissionDecision: "allow",
+          permissionDecisionReason: `[warden] YOLO mode active (${expiryInfo})`
+        }
+      };
+      process.stdout.write(JSON.stringify(output2));
+      process.exit(0);
+    }
+  }
   const parsed = parseCommand(command);
   const result = evaluate(parsed, config);
   if (result.decision === "allow") {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-warden",
-  "version": "1.8.2",
+  "version": "1.10.0",
   "description": "Smart command safety filter for Claude Code — auto-approves safe commands, blocks dangerous ones",
   "type": "module",
   "main": "dist/index.cjs",