claude-warden 2.0.1 → 2.3.1

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "warden",
-  "version": "2.0.1",
+  "version": "2.3.1",
   "description": "Smart command safety filter for Claude Code — parses shell pipelines and evaluates per-command safety rules to auto-approve safe commands and block dangerous ones",
   "author": {
     "name": "banyudu"

package/README.md

@@ -42,6 +42,28 @@ The result: **100+ common dev commands auto-approved**, dangerous commands auto-
 | `ssh devserver cat /etc/hosts` | Prompted | Auto-allowed (trusted host + safe cmd) |
 | `ssh devserver sudo rm -rf /` | Prompted | Auto-denied (trusted host + dangerous cmd) |
 
+## Warden vs Auto Mode
+
+Claude Code recently introduced [Auto Mode](https://code.claude.com/docs/en/permission-modes#eliminate-prompts-with-auto-mode), which uses a background classifier model to approve or block actions without manual prompts. Here's how it compares to Warden:
+
+| | Warden | Auto Mode |
+|---|---|---|
+| **How it works** | Deterministic rule engine with AST-based shell parsing | LLM classifier (Sonnet 4.6) reviews each action |
+| **Availability** | All plans, all models, all providers (API, Bedrock, Vertex) | Team/Enterprise only, Sonnet 4.6 or Opus 4.6 only |
+| **Token cost** | Zero — runs locally as a hook | Extra classifier calls count toward token usage |
+| **Latency** | Near-instant (local process) | Network round-trip per classified action |
+| **Configurability** | Full control via YAML — per-command rules, `targetPolicies`, and `trustedRemotes` | Prose-based rules, admin-managed trusted infrastructure |
+| **Predictability** | Deterministic — same command always gets the same decision | Probabilistic — classifier may have false positives/negatives |
+| **Scope** | Shell commands only (Bash tool) | All tool calls (Bash, file edits, network, subagents) |
+
+**Can I use both?** Yes. Warden runs as a `PreToolUse` hook, which executes before Auto Mode's classifier. Warden handles fast, deterministic decisions for shell commands, and Auto Mode covers everything else (file edits, network requests, subagent spawning). They are complementary.
+
+**When to choose Warden alone:** You're on a Free/Pro plan, using API/Bedrock/Vertex providers, want zero extra token cost, or need deterministic and auditable command-level rules.
+
+**When to choose Auto Mode alone:** You want broader coverage beyond shell commands and are comfortable with classifier-based decisions.
+
+**When to use both:** You want the best of both worlds — instant deterministic shell command filtering from Warden, plus Auto Mode's broader safety net for non-shell actions.
+
 ## Install
 
 Two commands inside Claude Code:
@@ -129,17 +151,34 @@ alwaysAllow:
 alwaysDeny:
   - nc
 
-# Trusted remote targets (auto-allow connection, evaluate remote commands)
-trustedSSHHosts:
-  - devserver
-  - "*.internal.company.com"
-trustedDockerContainers:
-  - my-app
-  - dev-*
-trustedKubectlContexts:
-  - minikube
-trustedSprites:
-  - my-sprite
+# Trusted remote contexts (auto-allow connection, evaluate remote commands)
+trustedRemotes:
+  - context: ssh
+    name: devserver
+  - context: ssh
+    name: "*.internal.company.com"
+  - context: docker
+    name: my-app
+  - context: docker
+    name: dev-*
+  - context: kubectl
+    name: minikube
+  - context: sprite
+    name: my-sprite
+
+# Target-based policy overrides for data-sensitive commands
+targetPolicies:
+  - type: path
+    path: "{{cwd}}"
+    commands: [rm, cp, mv]
+    decision: allow
+  - type: endpoint
+    pattern: "http://localhost:*"
+    decision: allow
+  - type: database
+    host: "prod-db.internal"
+    decision: deny
+    reason: Production database
 
 # Per-command rules (override built-in defaults for this scope)
 rules:
@@ -169,6 +208,17 @@ Need to temporarily bypass all permission prompts? YOLO mode auto-allows all com
 
 Running `/warden:yolo` with no arguments shows a menu of duration options.
 
+### Activate via environment variable
+
+For non-interactive sessions where `/warden:yolo` can't be invoked (e.g. piped prompts), set the `WARDEN_YOLO` env var:
+
+```bash
+WARDEN_YOLO=true claude < prompts.txt
+WARDEN_YOLO=1 claude < prompts.txt
+```
+
+Unlike the slash command, `WARDEN_YOLO` bypasses **all** checks including always-deny commands — it short-circuits before any parsing or evaluation, same as `--dangerously-skip-permissions`.
+
 ### How it works
 
 YOLO mode is **session-scoped** — it only affects the current Claude Code session. The hook intercepts special activation commands and stores state in a temp file keyed by session ID. When a command is evaluated during YOLO mode, the hook skips normal rule evaluation and auto-allows (except always-deny commands). Expired YOLO states are cleaned up automatically.
@@ -200,21 +250,30 @@ Commands like `node`, `npx`, `docker`, `ssh`, `git push --force`, `rm`, `chmod`
 - `rm temp.txt` is allowed but `rm -rf /` is prompted
 - `chmod 644 file` prompts but `chmod -R 777 /var` is denied
 
-### Trusted remote targets
-Configure trusted hosts/containers/contexts to auto-allow connections and recursively evaluate remote commands:
-- **SSH**: `trustedSSHHosts` — also covers `scp` and `rsync`
-- **Docker**: `trustedDockerContainers` — for `docker exec`
-- **kubectl**: `trustedKubectlContexts` — for `kubectl exec` (requires explicit `--context`)
-- **Sprite**: `trustedSprites` — for `sprite exec`/`console`
+### Trusted remotes
+Configure `trustedRemotes` to auto-allow connections and recursively evaluate remote commands:
+- **SSH**: `context: ssh` — also covers `scp` and `rsync`
+- **Docker**: `context: docker` — for `docker exec`
+- **kubectl**: `context: kubectl` — for `kubectl exec` (requires explicit `--context`)
+- **Sprite**: `context: sprite` — for `sprite exec`/`console`
+- **Fly.io**: `context: fly` — for `fly ssh console`
+
+Remote names support glob patterns: `*`, `?`, `[...]`, `[!...]`, `{a,b,c}`
+
+### Target-based policies
+Configure `targetPolicies` to override decisions based on what a command touches:
+- **Path**: allow or deny commands targeting specific files/directories, including `{{cwd}}`
+- **Database**: match DB host, optional port, and optional database name
+- **Endpoint**: match HTTP(S) endpoints for tools like `curl` and `wget`
 
-All support glob patterns: `*`, `?`, `[...]`, `[!...]`, `{a,b,c}`
+Legacy aliases such as `trustedSSHHosts`, `trustedDockerContainers`, `trustedKubectlContexts`, `trustedSprites`, `trustedFlyApps`, `trustedPaths`, `trustedDatabases`, and `trustedEndpoints` are still supported, but new configs should prefer `trustedRemotes` and `targetPolicies`.
 
 ## How it works
 
 1. Claude Code calls the `PreToolUse` hook before every Bash command
 2. Warden parses the command into an AST via [bash-parser](https://github.com/vorpaljs/bash-parser), walking the tree to extract individual commands from pipes, chains, logical expressions, and subshells
 3. Shell wrappers (`sh -c`, `bash -c`) and remote commands (`ssh`, `docker exec`, `kubectl exec`, `sprite exec`) are recursively parsed and evaluated
-4. Each command is evaluated through the rule hierarchy: alwaysDeny → alwaysAllow → trusted remote targets → command-specific rules with argument matching → default decision (checked per layer in priority order)
+4. Each command is evaluated through the rule hierarchy: alwaysDeny → alwaysAllow → target-based policies → trusted remote contexts → command-specific rules with argument matching → default decision (checked per layer in priority order)
 5. Results are combined: any deny → deny whole pipeline, any ask → ask, all allow → allow
 6. Returns the decision via stdout JSON (allow/ask) or exit code 2 (deny), with a system message explaining the reasoning for deny/ask decisions
 

package/config/warden.default.yaml

@@ -30,48 +30,100 @@ notifyOnDeny: true
 #   - nc
 #   - ncat
 
-# Trusted SSH hosts — ssh/scp/rsync to these hosts are auto-allowed.
-# Remote commands on trusted hosts are recursively evaluated through warden rules.
-# Supports glob patterns (* wildcards).
-# Entries can be strings (use global overrides) or objects with per-target settings.
-# trustedSSHHosts:
-#   - devserver                          # string → uses global overrides only
-#   - staging-*
-#   - "*.internal.company.com"
-#   - name: prod-bastion                 # object with per-target overrides
+# Remote execution contexts — SSH, Docker, kubectl, Sprite, Fly.io
+# Commands on trusted remotes are recursively evaluated through warden rules.
+# Supports glob patterns (* wildcards) for names.
+# trustedRemotes:
+#   - context: ssh
+#     name: devserver
+#   - context: ssh
+#     name: staging-*
+#   - context: ssh
+#     name: "*.internal.company.com"
+#   - context: ssh
+#     name: prod-bastion
 #     overrides:
 #       alwaysAllow: [systemctl]
-
-# Trusted Docker containers — docker exec to these containers are auto-allowed.
-# Remote commands are recursively evaluated through warden rules.
-# trustedDockerContainers:
-#   - my-app                             # string → uses global overrides only
-#   - name: dev-container                # object with allowAll (skip all checks)
-#     allowAll: true
-#   - name: staging-*                    # object with per-target overrides
+#   - context: docker
+#     name: my-app
+#   - context: docker
+#     name: dev-container
+#     allowAll: true                 # skip all checks (disposable env)
+#   - context: docker
+#     name: staging-*
 #     overrides:
 #       alwaysAllow: [sudo, apt]
-
-# Trusted kubectl contexts — kubectl exec in these contexts are auto-allowed.
-# Remote commands (after --) are recursively evaluated through warden rules.
-# trustedKubectlContexts:
-#   - minikube
-#   - name: dev-cluster-*
+#   - context: kubectl
+#     name: minikube
+#   - context: kubectl
+#     name: dev-cluster-*
 #     overrides:
 #       alwaysAllow: [sudo]
-#   - name: prod-cluster
+#   - context: kubectl
+#     name: prod-cluster
 #     overrides:
 #       alwaysDeny: [rm]
-
-# Trusted Sprites — sprite exec/console to these sprites are auto-allowed.
-# Remote commands are recursively evaluated through warden rules.
-# trustedSprites:
-#   - my-sprite                          # string → uses global overrides only
-#   - name: yudu-claw                    # allowAll: skip all checks (disposable env)
+#   - context: sprite
+#     name: my-sprite
+#   - context: sprite
+#     name: yudu-claw
 #     allowAll: true
-#   - name: dev-*                        # per-target overrides
+#   - context: sprite
+#     name: dev-*
 #     overrides:
 #       alwaysAllow: [sudo, apt]
+#   - context: fly
+#     name: my-fly-app
+#   - context: fly
+#     name: staging-*
+#     allowAll: true
+#   - context: fly
+#     name: prod-app
+#     overrides:
+#       alwaysAllow: [sudo, apt]
+
+# Target-based policies — override decisions based on paths, databases, or endpoints.
+# targetPolicies:
+#   - type: path
+#     path: /tmp
+#     allowAll: true                 # any command targeting /tmp is auto-allowed
+#   - type: path
+#     path: "{{cwd}}"               # expands to the project's working directory
+#     decision: allow
+#     commands: [rm, cp, mv]        # only override these commands
+#   - type: path
+#     path: /etc
+#     decision: deny                # block modifications to /etc
+#     reason: "System config directory"
+#   - type: path
+#     path: /opt/build
+#     recursive: false              # exact match only (not children)
+#     decision: allow
+#   - type: database
+#     host: localhost
+#     decision: allow
+#   - type: database
+#     host: "dev-*.internal"
+#     database: "test_*"
+#     decision: allow
+#   - type: database
+#     host: "prod.example.com"
+#     decision: deny
+#     reason: "Production database"
+#   - type: endpoint
+#     pattern: "http://localhost:*"
+#     decision: allow
+#   - type: endpoint
+#     pattern: "https://api.dev.example.com/*"
+#     decision: allow
+#   - type: endpoint
+#     pattern: "https://api.prod.example.com/*"
+#     decision: deny
+#     reason: "Production API"
+
+# Legacy keys (trustedSSHHosts, trustedDockerContainers, trustedKubectlContexts,
+# trustedSprites, trustedFlyApps, trustedPaths, trustedDatabases, trustedEndpoints)
+# are still supported and automatically converted to the unified form above.
 
 # Override rules when evaluating commands inside trusted remote contexts
 # (docker exec, kubectl exec, ssh, sprite exec). These overrides are applied