claude-warden 2.3.2 → 2.4.1

package/dist/codex-export.cjs

@@ -12481,7 +12481,7 @@ var require_log = __commonJS({
       if (logLevel === "debug")
         console.log(...messages);
     }
-    function warn(logLevel, warning) {
+    function warn2(logLevel, warning) {
       if (logLevel === "debug" || logLevel === "warn") {
         if (typeof node_process.emitWarning === "function")
           node_process.emitWarning(warning);
@@ -12490,7 +12490,7 @@ var require_log = __commonJS({
       }
     }
     exports2.debug = debug;
-    exports2.warn = warn;
+    exports2.warn = warn2;
   }
 });
 
@@ -18134,9 +18134,6 @@ var require_dist2 = __commonJS({
 var import_fs2 = require("fs");
 var import_path4 = require("path");
 
-// src/evaluator.ts
-var import_os = require("os");
-
 // src/parser.ts
 var import_bash_parser = __toESM(require_src(), 1);
 var import_path = require("path");
@@ -18456,6 +18453,9 @@ function regexFallbackParse(input) {
   return { command, originalCommand, args: args2, envPrefixes, raw: trimmed };
 }
 
+// src/evaluator.ts
+var import_os2 = require("os");
+
 // src/targets.ts
 var import_path2 = require("path");
 
@@ -18732,1029 +18732,152 @@ function evaluateTargetPolicies(cmd, cwd, config) {
   return results[0];
 }
 
-// src/evaluator.ts
-function safeRegexTest(pattern, input) {
-  try {
-    return new RegExp(pattern).test(input);
-  } catch {
-    process.stderr.write(`[warden] Warning: invalid regex pattern: ${pattern}
-`);
-    return false;
-  }
-}
-function commandMatchesName(cmd, name) {
-  if (name.startsWith("/")) {
-    return cmd.originalCommand === name;
-  }
-  if (name.startsWith("~/")) {
-    return cmd.originalCommand === (0, import_os.homedir)() + name.slice(1);
-  }
-  return cmd.command === name;
-}
-var MAX_RECURSION_DEPTH = 10;
-function evaluate(parsed, config, cwdOrDepth, maybeDepth) {
-  const cwd = typeof cwdOrDepth === "string" ? cwdOrDepth : void 0;
-  const depth = typeof cwdOrDepth === "number" ? cwdOrDepth : maybeDepth ?? 0;
-  if (depth > MAX_RECURSION_DEPTH) {
-    return { decision: "ask", reason: "Maximum recursion depth exceeded", details: [] };
-  }
-  if (parsed.parseError) {
-    return { decision: "ask", reason: "Could not parse command safely", details: [] };
-  }
-  if (parsed.commands.length === 0) {
-    return { decision: "allow", reason: "Empty command", details: [] };
-  }
-  if (parsed.hasSubshell && parsed.subshellCommands.length > 0) {
-    for (const subCmd of parsed.subshellCommands) {
-      const subParsed = parseCommand(subCmd);
-      const subResult = evaluate(subParsed, config, cwd, depth + 1);
-      if (subResult.decision === "deny") {
-        return { decision: "deny", reason: `Subshell command: ${subResult.reason}`, details: subResult.details };
-      }
-      if (subResult.decision === "ask") {
-        return { decision: "ask", reason: `Subshell command: ${subResult.reason}`, details: subResult.details };
-      }
-    }
-  } else if (parsed.hasSubshell && parsed.subshellCommands.length === 0 && config.askOnSubshell) {
-    return { decision: "ask", reason: "Command contains subshell/command substitution", details: [] };
-  }
-  const details = [];
-  for (const cmd of parsed.commands) {
-    details.push(evaluateCommand(cmd, config, cwd, depth));
-  }
-  const decisions = details.map((d) => d.decision);
-  if (decisions.includes("deny")) {
-    const denied = details.filter((d) => d.decision === "deny");
-    return {
-      decision: "deny",
-      reason: denied.map((d) => `${d.command}: ${d.reason}`).join("; "),
-      details
-    };
-  }
-  if (decisions.includes("ask")) {
-    const asked = details.filter((d) => d.decision === "ask");
-    return {
-      decision: "ask",
-      reason: asked.map((d) => `${d.command}: ${d.reason}`).join("; "),
-      details
-    };
-  }
-  return { decision: "allow", reason: "All commands are safe", details };
-}
-function evaluateCommand(cmd, config, cwd, depth = 0) {
-  const { command, args: args2 } = cmd;
-  for (const layer of config.layers) {
-    if (layer.alwaysDeny.some((name) => commandMatchesName(cmd, name))) {
-      return { command, args: args2, decision: "deny", reason: `"${command}" is blocked`, matchedRule: "alwaysDeny" };
-    }
-    if (layer.alwaysAllow.some((name) => commandMatchesName(cmd, name))) {
-      return { command, args: args2, decision: "allow", reason: `"${command}" is safe`, matchedRule: "alwaysAllow" };
-    }
-  }
-  if (cwd) {
-    const targetResult = evaluateTargetPolicies(cmd, cwd, config);
-    if (targetResult) return targetResult;
-  }
-  const remotes = config.trustedRemotes || [];
-  if (command === "ssh" || command === "scp" || command === "rsync") {
-    const sshTargets = remotes.filter((r) => r.context === "ssh");
-    if (sshTargets.length) {
-      const sshResult = evaluateSSHCommand(cmd, config, sshTargets, depth);
-      if (sshResult) return sshResult;
-    }
-  }
-  if (command === "docker") {
-    const dockerTargets = remotes.filter((r) => r.context === "docker");
-    if (dockerTargets.length) {
-      const dockerResult = evaluateDockerExec(cmd, config, dockerTargets, depth);
-      if (dockerResult) return dockerResult;
-    }
-  }
-  if (command === "kubectl") {
-    const kubectlTargets = remotes.filter((r) => r.context === "kubectl");
-    if (kubectlTargets.length) {
-      const kubectlResult = evaluateKubectlExec(cmd, config, kubectlTargets, depth);
-      if (kubectlResult) return kubectlResult;
-    }
-  }
-  if (command === "sprite") {
-    const spriteTargets = remotes.filter((r) => r.context === "sprite");
-    if (spriteTargets.length) {
-      const spriteResult = evaluateSpriteExec(cmd, config, spriteTargets, depth);
-      if (spriteResult) return spriteResult;
-    }
-  }
-  if (command === "fly" || command === "flyctl") {
-    const flyTargets = remotes.filter((r) => r.context === "fly");
-    if (flyTargets.length) {
-      const flyResult = evaluateFlyCommand(cmd, config, flyTargets, depth);
-      if (flyResult) return flyResult;
-    }
-  }
-  if (command === "xargs") {
-    return evaluateXargsCommand(cmd, config, cwd, depth);
-  }
-  if (command === "find") {
-    return evaluateFindCommand(cmd, config, cwd, depth);
-  }
-  const mergedRule = collectMergedRule(cmd, config);
-  if (mergedRule) {
-    return evaluateRule(cmd, mergedRule);
-  }
-  return { command, args: args2, decision: config.defaultDecision, reason: `No rule for "${command}"`, matchedRule: "default" };
+// src/rules.ts
+var import_fs = require("fs");
+var import_yaml = __toESM(require_dist2(), 1);
+var import_os = require("os");
+var import_path3 = require("path");
+
+// src/defaults.ts
+var SAFE_DEV_TOOLS = [
+  "jest",
+  "vitest",
+  "tsc",
+  "eslint",
+  "prettier",
+  "mkdirp",
+  "concurrently",
+  "turbo",
+  "next",
+  "nuxt",
+  "vite",
+  "astro",
+  "playwright",
+  "cypress",
+  "mocha",
+  "nyc",
+  "c8",
+  "ts-jest",
+  "tsup",
+  "esbuild",
+  "rollup",
+  "webpack",
+  "prisma",
+  "drizzle-kit",
+  "typeorm",
+  "knex",
+  "sequelize-cli",
+  "tailwindcss",
+  "postcss",
+  "autoprefixer",
+  "lint-staged",
+  "husky",
+  "changeset",
+  "semantic-release",
+  "lerna",
+  "nx",
+  "create-react-app",
+  "create-next-app",
+  "create-vite",
+  "degit",
+  "storybook",
+  "wrangler",
+  "netlify",
+  "vercel",
+  "json",
+  "biome"
+];
+var SCRIPT_RUNNERS = ["tsx", "ts-node", "nodemon"];
+var REGISTRY_OPS = ["publish", "unpublish", "deprecate", "owner", "access", "token", "adduser", "login", "logout"];
+var SAFE_PKG_MANAGER_CMDS = [
+  "install",
+  "add",
+  "remove",
+  "uninstall",
+  "update",
+  "upgrade",
+  "outdated",
+  "ls",
+  "list",
+  "run",
+  "test",
+  "start",
+  "build",
+  "init",
+  "create",
+  "info",
+  "view",
+  "show",
+  "why",
+  "pack",
+  "cache",
+  "config",
+  "get",
+  "set",
+  "version",
+  "help",
+  "exec",
+  "dedupe",
+  "prune",
+  "audit",
+  "completion",
+  "whoami"
+];
+var VERSION_HELP_FLAGS = {
+  match: { anyArgMatches: ["^--(version|help)$", "^-[vh]$"] },
+  decision: "allow",
+  description: "Version/help flags"
+};
+function anyArgMatchesPattern(items) {
+  return `^(${items.join("|")})$`;
 }
-function collectMergedRule(cmd, config) {
-  const matchingRules = [];
-  for (const layer of config.layers) {
-    const rule = layer.rules.find((r) => commandMatchesName(cmd, r.command));
-    if (rule) {
-      matchingRules.push(rule);
-      if (rule.override) break;
-    }
-  }
-  if (matchingRules.length === 0) return null;
-  if (matchingRules.length === 1) return matchingRules[0];
-  const mergedPatterns = [];
-  for (const rule of matchingRules) {
-    if (rule.argPatterns) {
-      mergedPatterns.push(...rule.argPatterns);
-    }
-  }
+function safeDevToolsPattern() {
   return {
-    command: matchingRules[0].command,
-    default: matchingRules[0].default,
-    argPatterns: mergedPatterns
+    match: { anyArgMatches: [anyArgMatchesPattern(SAFE_DEV_TOOLS)] },
+    decision: "allow",
+    description: "Well-known dev tools"
   };
 }
-function evaluateRule(cmd, rule) {
-  const { command, args: args2 } = cmd;
-  const argsJoined = args2.join(" ");
-  for (const pattern of rule.argPatterns || []) {
-    const m = pattern.match;
-    let matched = true;
-    if (m.noArgs !== void 0) {
-      matched = matched && m.noArgs === (args2.length === 0);
-    }
-    if (m.argsMatch && matched) {
-      matched = m.argsMatch.some((re) => safeRegexTest(re, argsJoined));
-    }
-    if (m.anyArgMatches && matched) {
-      matched = args2.some((arg) => m.anyArgMatches.some((re) => safeRegexTest(re, arg)));
-    }
-    if (m.argCount && matched) {
-      if (m.argCount.min !== void 0) matched = matched && args2.length >= m.argCount.min;
-      if (m.argCount.max !== void 0) matched = matched && args2.length <= m.argCount.max;
-    }
-    if (m.not) matched = !matched;
-    if (matched) {
-      return {
-        command,
-        args: args2,
-        decision: pattern.decision,
-        reason: pattern.reason || pattern.description || `Matched pattern for "${command}"`,
-        matchedRule: `${command}:argPattern`
-      };
-    }
-  }
+function scriptRunnersPattern() {
   return {
-    command,
-    args: args2,
-    decision: rule.default,
-    reason: `Default for "${command}"`,
-    matchedRule: `${command}:default`
+    match: { anyArgMatches: [anyArgMatchesPattern(SCRIPT_RUNNERS)] },
+    decision: "ask",
+    reason: "Script runners can execute arbitrary code"
   };
 }
-var XARGS_SHORT_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set(["E", "I", "L", "n", "P", "s", "S", "d", "a"]);
-var XARGS_SHORT_FLAGS_NO_VALUE = /* @__PURE__ */ new Set(["0", "e", "o", "p", "r", "t", "x"]);
-var XARGS_LONG_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
-  "--eof",
-  "--replace",
-  "--max-lines",
-  "--max-args",
-  "--max-procs",
-  "--max-chars",
-  "--arg-file",
-  "--delimiter"
-]);
-var XARGS_LONG_FLAGS_NO_VALUE = /* @__PURE__ */ new Set([
-  "--null",
-  "--exit",
-  "--open-tty",
-  "--interactive",
-  "--no-run-if-empty",
-  "--verbose",
-  "--show-limits"
-]);
-function parseXargsSubcommand(args2) {
-  let i = 0;
-  while (i < args2.length) {
-    const arg = args2[i];
-    if (arg === "--") {
-      i++;
-      break;
-    }
-    if (!arg.startsWith("-") || arg === "-") {
-      break;
-    }
-    if (arg.startsWith("--")) {
-      const eqIndex = arg.indexOf("=");
-      const longFlag = eqIndex === -1 ? arg : arg.slice(0, eqIndex);
-      if (XARGS_LONG_FLAGS_WITH_VALUE.has(longFlag)) {
-        if (eqIndex !== -1) {
-          i++;
-          continue;
-        }
-        if (i + 1 >= args2.length) return { subcommand: null, unresolved: true };
-        i += 2;
-        continue;
-      }
-      if (XARGS_LONG_FLAGS_NO_VALUE.has(longFlag)) {
-        i++;
-        continue;
-      }
-      return { subcommand: null, unresolved: true };
-    }
-    const short = arg[1];
-    if (XARGS_SHORT_FLAGS_WITH_VALUE.has(short)) {
-      if (arg.length > 2) {
-        i++;
-        continue;
-      }
-      if (i + 1 >= args2.length) return { subcommand: null, unresolved: true };
-      i += 2;
-      continue;
-    }
-    const grouped = arg.slice(1).split("");
-    const allKnownNoValue = grouped.every((ch) => XARGS_SHORT_FLAGS_NO_VALUE.has(ch));
-    if (allKnownNoValue) {
-      i++;
-      continue;
-    }
-    return { subcommand: null, unresolved: true };
-  }
-  if (i >= args2.length) {
-    return {
-      unresolved: false,
-      subcommand: {
-        command: "echo",
-        originalCommand: "echo",
-        args: [],
-        envPrefixes: [],
-        raw: "echo"
-      }
-    };
-  }
-  const subcommand = args2[i];
-  const subArgs = args2.slice(i + 1);
+function registryOpsPattern() {
   return {
-    unresolved: false,
-    subcommand: {
-      command: subcommand,
-      originalCommand: subcommand,
-      args: subArgs,
-      envPrefixes: [],
-      raw: [subcommand, ...subArgs].join(" ")
-    }
+    match: { anyArgMatches: [anyArgMatchesPattern(REGISTRY_OPS)] },
+    decision: "ask",
+    reason: "Registry modification"
   };
 }
-function evaluateXargsCommand(cmd, config, cwd, depth = 0) {
-  const { command, args: args2 } = cmd;
-  const { subcommand, unresolved } = parseXargsSubcommand(args2);
-  if (unresolved || !subcommand) {
-    return {
-      command,
-      args: args2,
-      decision: "ask",
-      reason: "xargs subcommand could not be resolved safely",
-      matchedRule: "xargs:subcommand"
-    };
-  }
-  const isShellExec = (subcommand.command === "sh" || subcommand.command === "bash" || subcommand.command === "zsh") && subcommand.args.length >= 2 && subcommand.args[0] === "-c";
-  let parsed;
-  if (isShellExec) {
-    const innerResult = parseCommand(subcommand.args[1]);
-    if (innerResult.parseError) {
-      parsed = { commands: [subcommand], hasSubshell: false, subshellCommands: [], parseError: false };
-    } else {
-      parsed = innerResult;
-    }
-  } else {
-    parsed = { commands: [subcommand], hasSubshell: false, subshellCommands: [], parseError: false };
-  }
-  const result = evaluate(parsed, config, cwd, depth + 1);
+function pkgManagerRule(command, extraSafeCmds = []) {
+  const safeCmds = [...SAFE_PKG_MANAGER_CMDS, ...extraSafeCmds];
   return {
     command,
-    args: args2,
-    decision: result.decision,
-    reason: `xargs subcommand "${subcommand.command}": ${result.reason}`,
-    matchedRule: "xargs:subcommand"
+    default: "ask",
+    argPatterns: [
+      registryOpsPattern(),
+      {
+        match: { anyArgMatches: [anyArgMatchesPattern(safeCmds)] },
+        decision: "allow",
+        description: `Standard ${command} commands`
+      },
+      VERSION_HELP_FLAGS
+    ]
   };
 }
-function parseFindExecCommands(args2) {
-  const commands = [];
-  let i = 0;
-  while (i < args2.length) {
-    if (args2[i] === "-exec" || args2[i] === "-execdir") {
-      i++;
-      const cmdArgs = [];
-      while (i < args2.length && args2[i] !== ";" && args2[i] !== "+") {
-        if (args2[i] !== "{}") {
-          cmdArgs.push(args2[i]);
-        }
-        i++;
-      }
-      i++;
-      if (cmdArgs.length > 0) {
-        commands.push({
-          command: cmdArgs[0],
-          originalCommand: cmdArgs[0],
-          args: cmdArgs.slice(1),
-          envPrefixes: [],
-          raw: cmdArgs.join(" ")
-        });
-      }
-    } else {
-      i++;
-    }
-  }
-  return commands;
-}
-function evaluateFindCommand(cmd, config, cwd, depth = 0) {
-  const { command, args: args2 } = cmd;
-  if (args2.some((a) => a === "-delete")) {
-    return { command, args: args2, decision: "ask", reason: "find -delete can remove files", matchedRule: "find:delete" };
-  }
-  if (args2.some((a) => a === "-ok" || a === "-okdir")) {
-    return { command, args: args2, decision: "ask", reason: "find -ok/-okdir can execute commands interactively", matchedRule: "find:ok" };
-  }
-  const execCommands = parseFindExecCommands(args2);
-  if (execCommands.length === 0) {
-    return { command, args: args2, decision: "allow", reason: "find without dangerous flags", matchedRule: "find:safe" };
-  }
-  for (const execCmd of execCommands) {
-    const parsed = {
-      commands: [execCmd],
-      hasSubshell: false,
-      subshellCommands: [],
-      parseError: false
-    };
-    const result = evaluate(parsed, config, cwd, depth + 1);
-    if (result.decision === "deny") {
-      return { command, args: args2, decision: "deny", reason: `find -exec: ${result.reason}`, matchedRule: "find:exec" };
-    }
-    if (result.decision === "ask") {
-      return { command, args: args2, decision: "ask", reason: `find -exec: ${result.reason}`, matchedRule: "find:exec" };
-    }
-  }
-  return { command, args: args2, decision: "allow", reason: "find -exec commands are safe", matchedRule: "find:exec" };
-}
-var SSH_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
-  "-b",
-  "-c",
-  "-D",
-  "-E",
-  "-e",
-  "-F",
-  "-I",
-  "-i",
-  "-J",
-  "-L",
-  "-l",
-  "-m",
-  "-O",
-  "-o",
-  "-p",
-  "-Q",
-  "-R",
-  "-S",
-  "-W",
-  "-w"
-]);
-function findMatchingTarget(value, targets) {
-  return targets.find((t) => globToRegex(t.name).test(value)) || null;
-}
-function parseSSHArgs(args2) {
-  let host = null;
-  const remoteArgs = [];
-  let i = 0;
-  while (i < args2.length) {
-    const arg = args2[i];
-    if (SSH_FLAGS_WITH_VALUE.has(arg)) {
-      i += 2;
-      continue;
-    }
-    if (arg.startsWith("-")) {
-      i++;
-      continue;
-    }
-    if (!host) {
-      host = arg.includes("@") ? arg.split("@").pop() : arg;
-      i++;
-      while (i < args2.length) {
-        remoteArgs.push(args2[i]);
-        i++;
-      }
-      break;
-    }
-    i++;
-  }
-  return {
-    host,
-    remoteCommand: remoteArgs.length > 0 ? remoteArgs.map(shellQuote).join(" ") : null
-  };
-}
-function extractHostFromRemotePath(args2) {
-  for (const arg of args2) {
-    const match = arg.match(/^(?:[^@]+@)?([^:]+):/);
-    if (match) return match[1];
-  }
-  return null;
-}
-function evaluateSSHCommand(cmd, config, targets, depth = 0) {
-  const { command, args: args2 } = cmd;
-  if (command === "scp" || command === "rsync") {
-    const host2 = extractHostFromRemotePath(args2);
-    if (!host2) return null;
-    const target2 = findMatchingTarget(host2, targets);
-    if (!target2) return null;
-    if (target2.allowAll || !target2.overrides) {
-      return {
-        command,
-        args: args2,
-        decision: "allow",
-        reason: `Trusted SSH host "${host2}"${target2.allowAll ? " (allowAll)" : ""}`,
-        matchedRule: "trustedSSHHosts"
-      };
-    }
-    if (target2.overrides.alwaysDeny.some((name) => name === command)) {
-      return {
-        command,
-        args: args2,
-        decision: "deny",
-        reason: `Trusted SSH host "${host2}": "${command}" blocked by overrides`,
-        matchedRule: "trustedSSHHosts"
-      };
-    }
-    return {
-      command,
-      args: args2,
-      decision: "allow",
-      reason: `Trusted SSH host "${host2}"`,
-      matchedRule: "trustedSSHHosts"
-    };
-  }
-  const { host, remoteCommand } = parseSSHArgs(args2);
-  if (!host) return null;
-  const target = findMatchingTarget(host, targets);
-  if (!target) return null;
-  if (!remoteCommand) {
-    return {
-      command,
-      args: args2,
-      decision: "allow",
-      reason: `Trusted SSH host "${host}" (interactive)`,
-      matchedRule: "trustedSSHHosts"
-    };
-  }
-  if (target.allowAll) {
-    return {
-      command,
-      args: args2,
-      decision: "allow",
-      reason: `Trusted SSH host "${host}" (allowAll)`,
-      matchedRule: "trustedSSHHosts"
-    };
-  }
-  const parsed = parseCommand(remoteCommand);
-  const result = evaluate(parsed, configWithContextOverrides(config, target), depth + 1);
-  return {
-    command,
-    args: args2,
-    decision: result.decision,
-    reason: `Trusted SSH host "${host}": ${result.reason}`,
-    matchedRule: "trustedSSHHosts"
-  };
-}
-var DOCKER_EXEC_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
-  "-e",
-  "--env",
-  "--env-file",
-  "-u",
-  "--user",
-  "-w",
-  "--workdir",
-  "--detach-keys"
-]);
-var INTERACTIVE_SHELLS = /* @__PURE__ */ new Set(["bash", "sh", "zsh"]);
-function shellQuote(arg) {
-  if (/[\s"'\\$`!#&|;()<>]/.test(arg)) {
-    return `'${arg.replace(/'/g, "'\\''")}'`;
-  }
-  return arg;
-}
-function configWithContextOverrides(config, target) {
-  const overrideLayers = [];
-  if (target?.overrides) overrideLayers.push(target.overrides);
-  if (config.trustedContextOverrides) overrideLayers.push(config.trustedContextOverrides);
-  if (overrideLayers.length === 0) return config;
-  return {
-    ...config,
-    layers: [...overrideLayers, ...config.layers]
-  };
-}
-function evaluateRemoteCommand(remoteArgs, config, target, depth = 0) {
-  if (target?.allowAll) {
-    return { decision: "allow", reason: "allowAll target", details: [] };
-  }
-  const overriddenConfig = configWithContextOverrides(config, target);
-  if (remoteArgs.length === 0) {
-    return { decision: "allow", reason: "interactive", details: [] };
-  }
-  const remoteCmd = remoteArgs[0];
-  if (INTERACTIVE_SHELLS.has(remoteCmd) && remoteArgs.length === 1) {
-    return { decision: "allow", reason: "interactive shell", details: [] };
-  }
-  if (INTERACTIVE_SHELLS.has(remoteCmd) && remoteArgs[1] === "-c" && remoteArgs.length >= 3) {
-    const innerCommand = remoteArgs.slice(2).join(" ");
-    const parsed2 = parseCommand(innerCommand);
-    return evaluate(parsed2, overriddenConfig, depth + 1);
-  }
-  const parsed = {
-    commands: [{ command: remoteCmd, originalCommand: remoteCmd, args: remoteArgs.slice(1), envPrefixes: [], raw: remoteArgs.join(" ") }],
-    hasSubshell: false,
-    subshellCommands: [],
-    parseError: false
-  };
-  return evaluate(parsed, overriddenConfig, depth + 1);
-}
-function parseDockerExecArgs(args2) {
-  let target = null;
-  const remoteArgs = [];
-  let i = 0;
-  while (i < args2.length) {
-    const arg = args2[i];
-    if (DOCKER_EXEC_FLAGS_WITH_VALUE.has(arg)) {
-      i += 2;
-      continue;
-    }
-    if (arg.startsWith("-")) {
-      i++;
-      continue;
-    }
-    if (!target) {
-      target = arg;
-      i++;
-      while (i < args2.length) {
-        remoteArgs.push(args2[i]);
-        i++;
-      }
-      break;
-    }
-    i++;
-  }
-  return { target, remoteArgs };
-}
-function evaluateDockerExec(cmd, config, targets, depth = 0) {
-  const { command, args: args2 } = cmd;
-  if (args2[0] !== "exec") return null;
-  const { target: containerName, remoteArgs } = parseDockerExecArgs(args2.slice(1));
-  if (!containerName) return null;
-  const matched = findMatchingTarget(containerName, targets);
-  if (!matched) return null;
-  const result = evaluateRemoteCommand(remoteArgs, config, matched, depth);
-  return {
-    command,
-    args: args2,
-    decision: result.decision,
-    reason: `Trusted Docker container "${containerName}" (${result.reason})`,
-    matchedRule: "trustedDockerContainers"
-  };
-}
-var KUBECTL_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
-  "-n",
-  "--namespace",
-  "-c",
-  "--container",
-  "--context",
-  "--cluster",
-  "--kubeconfig",
-  "-s",
-  "--server",
-  "--token",
-  "--user",
-  "--as",
-  "--as-group",
-  "--certificate-authority",
-  "--client-certificate",
-  "--client-key",
-  "-l",
-  "--selector",
-  "-f",
-  "--filename",
-  "--cache-dir",
-  "--request-timeout",
-  "-o",
-  "--output"
-]);
-function parseKubectlExecArgs(args2) {
-  let context = null;
-  let pod = null;
-  const remoteArgs = [];
-  let i = 0;
-  while (i < args2.length) {
-    const arg = args2[i];
-    if (arg === "--") {
-      i++;
-      while (i < args2.length) {
-        remoteArgs.push(args2[i]);
-        i++;
-      }
-      break;
-    }
-    if (arg.startsWith("--") && arg.includes("=")) {
-      if (arg.startsWith("--context=")) {
-        context = arg.split("=")[1];
-      }
-      i++;
-      continue;
-    }
-    if (KUBECTL_FLAGS_WITH_VALUE.has(arg)) {
-      if (arg === "--context") context = args2[i + 1] || null;
-      i += 2;
-      continue;
-    }
-    if (arg.startsWith("-")) {
-      i++;
-      continue;
-    }
-    if (!pod) {
-      pod = arg;
-    }
-    i++;
-  }
-  return { context, pod, remoteArgs };
-}
-function evaluateKubectlExec(cmd, config, targets, depth = 0) {
-  const { command, args: args2 } = cmd;
-  if (args2[0] !== "exec") return null;
-  const { context, pod, remoteArgs } = parseKubectlExecArgs(args2.slice(1));
-  if (!context) return null;
-  const matched = findMatchingTarget(context, targets);
-  if (!matched) return null;
-  const result = evaluateRemoteCommand(remoteArgs, config, matched, depth);
-  return {
-    command,
-    args: args2,
-    decision: result.decision,
-    reason: `Trusted kubectl context "${context}"${pod ? `, pod "${pod}"` : ""} (${result.reason})`,
-    matchedRule: "trustedKubectlContexts"
-  };
-}
-var SPRITE_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
-  "-o",
-  "--org",
-  "-s",
-  "--sprite"
-]);
-function parseSpriteExecArgs(args2) {
-  let spriteName = null;
-  const remoteArgs = [];
-  let foundExec = false;
-  let i = 0;
-  while (i < args2.length) {
-    const arg = args2[i];
-    if (arg.startsWith("--") && arg.includes("=")) {
-      if (arg.startsWith("--sprite=")) {
-        spriteName = arg.split("=")[1];
-      }
-      i++;
-      continue;
-    }
-    if (SPRITE_FLAGS_WITH_VALUE.has(arg)) {
-      if (arg === "-s" || arg === "--sprite") {
-        spriteName = args2[i + 1] || null;
-      }
-      i += 2;
-      continue;
-    }
-    if (arg === "--debug") {
-      i++;
-      continue;
-    }
-    if (arg.startsWith("-")) {
-      i++;
-      continue;
-    }
-    if (!foundExec) {
-      if (arg === "exec" || arg === "x" || arg === "console" || arg === "c") {
-        foundExec = true;
-        i++;
-        continue;
-      }
-      return { spriteName: null, remoteArgs: [] };
-    }
-    while (i < args2.length) {
-      remoteArgs.push(args2[i]);
-      i++;
-    }
-    break;
-  }
-  return { spriteName, remoteArgs };
-}
-function evaluateSpriteExec(cmd, config, targets, depth = 0) {
-  const { command, args: args2 } = cmd;
-  const { spriteName, remoteArgs } = parseSpriteExecArgs(args2);
-  if (!spriteName) return null;
-  const matched = findMatchingTarget(spriteName, targets);
-  if (!matched) return null;
-  const result = evaluateRemoteCommand(remoteArgs, config, matched, depth);
-  return {
-    command,
-    args: args2,
-    decision: result.decision,
-    reason: `Trusted sprite "${spriteName}" (${result.reason})`,
-    matchedRule: "trustedSprites"
-  };
-}
-var FLY_SSH_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
-  "-a",
-  "--app",
-  "-C",
-  "--command",
-  "-o",
-  "--org",
-  "-r",
-  "--region",
-  "-u",
-  "--user",
-  "--address"
-]);
-function parseFlySSHArgs(args2) {
-  let app = null;
-  const remoteArgs = [];
-  let isSSH = false;
-  let foundConsole = false;
-  let i = 0;
-  while (i < args2.length) {
-    const arg = args2[i];
-    if (arg.startsWith("--app=")) {
-      app = arg.slice(6);
-      i++;
-      continue;
-    }
-    if (FLY_SSH_FLAGS_WITH_VALUE.has(arg)) {
-      if (arg === "-a" || arg === "--app") {
-        app = args2[i + 1] || null;
-      }
-      if ((arg === "-C" || arg === "--command") && foundConsole) {
-        const cmdValue = args2[i + 1];
-        if (cmdValue) {
-          const parsed = parseCommand(cmdValue);
-          if (!parsed.parseError && parsed.commands.length > 0) {
-            const cmd = parsed.commands[0];
-            remoteArgs.push(cmd.command, ...cmd.args);
-          }
-        }
-        i += 2;
-        continue;
-      }
-      i += 2;
-      continue;
-    }
-    if (arg === "--") {
-      i++;
-      while (i < args2.length) {
-        remoteArgs.push(args2[i]);
-        i++;
-      }
-      break;
-    }
-    if (arg.startsWith("-")) {
-      i++;
-      continue;
-    }
-    if (!isSSH && arg === "ssh") {
-      isSSH = true;
-      i++;
-      continue;
-    }
-    if (isSSH && !foundConsole && (arg === "console" || arg === "sftp")) {
-      foundConsole = true;
-      i++;
-      continue;
-    }
-    i++;
-  }
-  return { app, remoteArgs, isSSH: isSSH && foundConsole };
-}
-function evaluateFlyCommand(cmd, config, targets, depth = 0) {
-  const { command, args: args2 } = cmd;
-  const { app, remoteArgs, isSSH } = parseFlySSHArgs(args2);
-  if (!isSSH) return null;
-  if (!app) return null;
-  const matched = findMatchingTarget(app, targets);
-  if (!matched) return null;
-  const result = evaluateRemoteCommand(remoteArgs, config, matched, depth);
-  return {
-    command,
-    args: args2,
-    decision: result.decision,
-    reason: `Trusted Fly app "${app}" (${result.reason})`,
-    matchedRule: "trustedFlyApps"
-  };
-}
-
-// src/codex.ts
-function toCodexDecision(decision) {
-  if (decision === "allow") return "allow";
-  if (decision === "ask") return "prompt";
-  return "forbidden";
-}
-function quote(value) {
-  return JSON.stringify(value);
-}
-function collectCandidateCommands(config) {
-  const names = /* @__PURE__ */ new Set();
-  for (const layer of config.layers) {
-    for (const name of layer.alwaysAllow) names.add(name);
-    for (const name of layer.alwaysDeny) names.add(name);
-    for (const rule of layer.rules) names.add(rule.command);
-  }
-  return [...names].map((n) => n.trim()).filter((n) => n.length > 0 && !/\s/.test(n)).sort();
-}
-function buildCodexRuleRecords(config) {
-  const records = [];
-  for (const command of collectCandidateCommands(config)) {
-    const result = evaluate(parseCommand(command), config);
-    records.push({
-      command,
-      decision: result.decision,
-      reason: result.reason
-    });
-  }
-  return records;
-}
-function generateCodexRules(config) {
-  const lines = [
-    "# Generated by claude-warden.",
-    "# Regenerate with: pnpm codex:export-rules",
-    ""
-  ];
-  for (const record of buildCodexRuleRecords(config)) {
-    lines.push(
-      `prefix_rule(pattern = [${quote(record.command)}], decision = ${quote(toCodexDecision(record.decision))}, justification = ${quote(`Warden: ${record.reason}`)})`
-    );
-  }
-  lines.push("");
-  return lines.join("\n");
-}
-
-// src/rules.ts
-var import_fs = require("fs");
-var import_yaml = __toESM(require_dist2(), 1);
-var import_os2 = require("os");
-var import_path3 = require("path");
-
-// src/defaults.ts
-var SAFE_DEV_TOOLS = [
-  "jest",
-  "vitest",
-  "tsc",
-  "eslint",
-  "prettier",
-  "mkdirp",
-  "concurrently",
-  "turbo",
-  "next",
-  "nuxt",
-  "vite",
-  "astro",
-  "playwright",
-  "cypress",
-  "mocha",
-  "nyc",
-  "c8",
-  "ts-jest",
-  "tsup",
-  "esbuild",
-  "rollup",
-  "webpack",
-  "prisma",
-  "drizzle-kit",
-  "typeorm",
-  "knex",
-  "sequelize-cli",
-  "tailwindcss",
-  "postcss",
-  "autoprefixer",
-  "lint-staged",
-  "husky",
-  "changeset",
-  "semantic-release",
-  "lerna",
-  "nx",
-  "create-react-app",
-  "create-next-app",
-  "create-vite",
-  "degit",
-  "storybook",
-  "wrangler",
-  "netlify",
-  "vercel",
-  "json",
-  "biome"
-];
-var SCRIPT_RUNNERS = ["tsx", "ts-node", "nodemon"];
-var REGISTRY_OPS = ["publish", "unpublish", "deprecate", "owner", "access", "token", "adduser", "login", "logout"];
-var SAFE_PKG_MANAGER_CMDS = [
-  "install",
-  "add",
-  "remove",
-  "uninstall",
-  "update",
-  "upgrade",
-  "outdated",
-  "ls",
-  "list",
-  "run",
-  "test",
-  "start",
-  "build",
-  "init",
-  "create",
-  "info",
-  "view",
-  "show",
-  "why",
-  "pack",
-  "cache",
-  "config",
-  "get",
-  "set",
-  "version",
-  "help",
-  "exec",
-  "dedupe",
-  "prune",
-  "audit",
-  "completion",
-  "whoami"
-];
-var VERSION_HELP_FLAGS = {
-  match: { anyArgMatches: ["^--(version|help)$", "^-[vh]$"] },
-  decision: "allow",
-  description: "Version/help flags"
-};
-function anyArgMatchesPattern(items) {
-  return `^(${items.join("|")})$`;
-}
-function safeDevToolsPattern() {
-  return {
-    match: { anyArgMatches: [anyArgMatchesPattern(SAFE_DEV_TOOLS)] },
-    decision: "allow",
-    description: "Well-known dev tools"
-  };
-}
-function scriptRunnersPattern() {
-  return {
-    match: { anyArgMatches: [anyArgMatchesPattern(SCRIPT_RUNNERS)] },
-    decision: "ask",
-    reason: "Script runners can execute arbitrary code"
-  };
-}
-function registryOpsPattern() {
-  return {
-    match: { anyArgMatches: [anyArgMatchesPattern(REGISTRY_OPS)] },
-    decision: "ask",
-    reason: "Registry modification"
-  };
-}
-function pkgManagerRule(command, extraSafeCmds = []) {
-  const safeCmds = [...SAFE_PKG_MANAGER_CMDS, ...extraSafeCmds];
-  return {
-    command,
-    default: "ask",
-    argPatterns: [
-      registryOpsPattern(),
-      {
-        match: { anyArgMatches: [anyArgMatchesPattern(safeCmds)] },
-        decision: "allow",
-        description: `Standard ${command} commands`
-      },
-      VERSION_HELP_FLAGS
-    ]
-  };
-}
-function pkgRunnerRule(command) {
-  return {
-    command,
-    default: "ask",
-    argPatterns: [
-      safeDevToolsPattern(),
-      scriptRunnersPattern(),
-      VERSION_HELP_FLAGS
-    ]
-  };
+function pkgRunnerRule(command) {
+  return {
+    command,
+    default: "ask",
+    argPatterns: [
+      safeDevToolsPattern(),
+      scriptRunnersPattern(),
+      VERSION_HELP_FLAGS
+    ]
+  };
 }
 var DEFAULT_CONFIG = {
   defaultDecision: "ask",
@@ -20337,319 +19460,1181 @@ var DEFAULT_CONFIG = {
   }]
 };
 
-// src/rules.ts
-var VALID_DECISIONS = /* @__PURE__ */ new Set(["allow", "deny", "ask"]);
-function isValidDecision(value) {
-  return VALID_DECISIONS.has(value);
+// src/rules.ts
+var VALID_DECISIONS = /* @__PURE__ */ new Set(["allow", "deny", "ask"]);
+function isValidDecision(value) {
+  return VALID_DECISIONS.has(value);
+}
+var quiet = true;
+function setQuiet(value) {
+  quiet = value;
+}
+function warn(message) {
+  if (quiet) return;
+  process.stderr.write(message);
+}
+var USER_CONFIG_PATHS = [
+  (0, import_path3.join)((0, import_os.homedir)(), ".claude", "warden.yaml"),
+  (0, import_path3.join)((0, import_os.homedir)(), ".claude", "warden.json")
+];
+var PROJECT_CONFIG_NAMES = [
+  ".claude/warden.yaml",
+  ".claude/warden.json"
+];
+function loadConfig(cwd) {
+  const config = structuredClone(DEFAULT_CONFIG);
+  const defaultLayer = config.layers[0];
+  let userLayer = null;
+  let userRaw = null;
+  for (const configPath of USER_CONFIG_PATHS) {
+    const result = tryLoadFile(configPath);
+    if (result) {
+      userLayer = extractLayer(result);
+      userRaw = result;
+      break;
+    }
+  }
+  let workspaceLayer = null;
+  let workspaceRaw = null;
+  if (cwd) {
+    for (const name of PROJECT_CONFIG_NAMES) {
+      const result = tryLoadFile((0, import_path3.join)(cwd, name));
+      if (result) {
+        workspaceLayer = extractLayer(result);
+        workspaceRaw = result;
+        break;
+      }
+    }
+  }
+  config.layers = [
+    ...workspaceLayer ? [workspaceLayer] : [],
+    ...userLayer ? [userLayer] : [],
+    defaultLayer
+  ];
+  if (userRaw) mergeNonLayerFields(config, userRaw);
+  if (workspaceRaw) mergeNonLayerFields(config, workspaceRaw);
+  return config;
+}
+function tryLoadFile(filePath) {
+  if (!(0, import_fs.existsSync)(filePath)) return null;
+  try {
+    const raw = (0, import_fs.readFileSync)(filePath, "utf-8");
+    const parsed = filePath.endsWith(".yaml") || filePath.endsWith(".yml") ? (0, import_yaml.parse)(raw) : JSON.parse(raw);
+    if (parsed && typeof parsed === "object") {
+      return parsed;
+    }
+  } catch (err) {
+    warn(`[warden] Warning: failed to parse config ${filePath}: ${err instanceof Error ? err.message : String(err)}
+`);
+  }
+  return null;
+}
+function extractLayer(raw) {
+  const rules = Array.isArray(raw.rules) ? raw.rules : [];
+  for (const rule of rules) {
+    if (rule && typeof rule === "object") {
+      if (rule.default && !isValidDecision(rule.default)) {
+        warn(`[warden] Warning: invalid rule default "${rule.default}" for "${rule.command}", using "ask"
+`);
+        rule.default = "ask";
+      }
+      if (Array.isArray(rule.argPatterns)) {
+        for (const pattern of rule.argPatterns) {
+          if (pattern?.decision && !isValidDecision(pattern.decision)) {
+            warn(`[warden] Warning: invalid pattern decision "${pattern.decision}" for "${rule.command}", using "ask"
+`);
+            pattern.decision = "ask";
+          }
+        }
+      }
+    }
+  }
+  return {
+    alwaysAllow: Array.isArray(raw.alwaysAllow) ? raw.alwaysAllow : [],
+    alwaysDeny: Array.isArray(raw.alwaysDeny) ? raw.alwaysDeny : [],
+    rules
+  };
+}
+function parseTrustedList(raw) {
+  return raw.map((entry) => {
+    if (typeof entry === "string") return { name: entry };
+    if (entry && typeof entry === "object" && "name" in entry) {
+      const obj = entry;
+      const target = { name: String(obj.name) };
+      if (obj.allowAll === true) target.allowAll = true;
+      if (obj.overrides && typeof obj.overrides === "object") {
+        target.overrides = extractLayer(obj.overrides);
+      }
+      return target;
+    }
+    return null;
+  }).filter((t) => t !== null);
+}
+var VALID_REMOTE_CONTEXTS = /* @__PURE__ */ new Set(["ssh", "docker", "kubectl", "sprite", "fly"]);
+function parseTrustedRemotes(raw) {
+  const results = [];
+  for (const entry of raw) {
+    if (!entry || typeof entry !== "object") continue;
+    const obj = entry;
+    const context = String(obj.context || "");
+    if (!VALID_REMOTE_CONTEXTS.has(context)) {
+      warn(`[warden] Warning: unknown remote context "${context}", skipping
+`);
+      continue;
+    }
+    const name = String(obj.name || "");
+    if (!name) continue;
+    const remote = { name, context };
+    if (obj.allowAll === true) remote.allowAll = true;
+    if (obj.overrides && typeof obj.overrides === "object") {
+      remote.overrides = extractLayer(obj.overrides);
+    }
+    results.push(remote);
+  }
+  return results;
+}
+function parseTargetPolicies(raw) {
+  const results = [];
+  for (const entry of raw) {
+    if (!entry || typeof entry !== "object") continue;
+    const obj = entry;
+    const type = String(obj.type || "");
+    const rawDecision = String(obj.decision || "allow");
+    const decision = isValidDecision(rawDecision) ? rawDecision : "allow";
+    const base = {
+      commands: Array.isArray(obj.commands) ? obj.commands.map(String) : void 0,
+      decision,
+      reason: obj.reason ? String(obj.reason) : void 0,
+      allowAll: obj.allowAll === true ? true : void 0
+    };
+    switch (type) {
+      case "path": {
+        const path = String(obj.path || "");
+        if (!path) continue;
+        const policy = { ...base, type: "path", path };
+        if (obj.recursive === false) policy.recursive = false;
+        results.push(policy);
+        break;
+      }
+      case "database": {
+        const host = String(obj.host || "");
+        if (!host) continue;
+        const policy = { ...base, type: "database", host };
+        if (typeof obj.port === "number") policy.port = obj.port;
+        if (obj.database) policy.database = String(obj.database);
+        results.push(policy);
+        break;
+      }
+      case "endpoint": {
+        const pattern = String(obj.pattern || "");
+        if (!pattern) continue;
+        results.push({ ...base, type: "endpoint", pattern });
+        break;
+      }
+      default:
+        warn(`[warden] Warning: unknown target policy type "${type}", skipping
+`);
+    }
+  }
+  return results;
+}
+function parseLegacyPaths(raw) {
+  const results = [];
+  for (const e of raw) {
+    if (!e || typeof e !== "object") continue;
+    const obj = e;
+    const decision = String(obj.decision || "allow");
+    if (!isValidDecision(decision)) continue;
+    const path = String(obj.path || "");
+    if (!path) continue;
+    const tp = { type: "path", path, decision };
+    if (obj.recursive === false) tp.recursive = false;
+    if (Array.isArray(obj.commands)) tp.commands = obj.commands.map(String);
+    if (obj.reason) tp.reason = String(obj.reason);
+    results.push(tp);
+  }
+  return results;
+}
+function parseLegacyDatabases(raw) {
+  const results = [];
+  for (const e of raw) {
+    if (!e || typeof e !== "object") continue;
+    const obj = e;
+    const decision = String(obj.decision || "allow");
+    if (!isValidDecision(decision)) continue;
+    const host = String(obj.host || "");
+    if (!host) continue;
+    const td = { type: "database", host, decision };
+    if (typeof obj.port === "number") td.port = obj.port;
+    if (obj.database) td.database = String(obj.database);
+    if (Array.isArray(obj.commands)) td.commands = obj.commands.map(String);
+    if (obj.reason) td.reason = String(obj.reason);
+    results.push(td);
+  }
+  return results;
+}
+function parseLegacyEndpoints(raw) {
+  const results = [];
+  for (const e of raw) {
+    if (!e || typeof e !== "object") continue;
+    const obj = e;
+    const decision = String(obj.decision || "allow");
+    if (!isValidDecision(decision)) continue;
+    const pattern = String(obj.pattern || "");
+    if (!pattern) continue;
+    const te = { type: "endpoint", pattern, decision };
+    if (Array.isArray(obj.commands)) te.commands = obj.commands.map(String);
+    if (obj.reason) te.reason = String(obj.reason);
+    results.push(te);
+  }
+  return results;
+}
+var LEGACY_REMOTE_MAP = {
+  trustedSSHHosts: "ssh",
+  trustedDockerContainers: "docker",
+  trustedKubectlContexts: "kubectl",
+  trustedSprites: "sprite",
+  trustedFlyApps: "fly"
+};
+function mergeNonLayerFields(config, raw) {
+  if (Array.isArray(raw.trustedRemotes)) {
+    config.trustedRemotes = [...config.trustedRemotes || [], ...parseTrustedRemotes(raw.trustedRemotes)];
+  }
+  if (Array.isArray(raw.targetPolicies)) {
+    config.targetPolicies = [...config.targetPolicies || [], ...parseTargetPolicies(raw.targetPolicies)];
+  }
+  for (const [key, context] of Object.entries(LEGACY_REMOTE_MAP)) {
+    if (Array.isArray(raw[key])) {
+      const remotes = parseTrustedList(raw[key]).map((t) => ({ ...t, context }));
+      config.trustedRemotes = [...config.trustedRemotes || [], ...remotes];
+    }
+  }
+  if (Array.isArray(raw.trustedPaths)) {
+    config.targetPolicies = [...config.targetPolicies || [], ...parseLegacyPaths(raw.trustedPaths)];
+  }
+  if (Array.isArray(raw.trustedDatabases)) {
+    config.targetPolicies = [...config.targetPolicies || [], ...parseLegacyDatabases(raw.trustedDatabases)];
+  }
+  if (Array.isArray(raw.trustedEndpoints)) {
+    config.targetPolicies = [...config.targetPolicies || [], ...parseLegacyEndpoints(raw.trustedEndpoints)];
+  }
+  if (typeof raw.defaultDecision === "string") {
+    if (isValidDecision(raw.defaultDecision)) {
+      config.defaultDecision = raw.defaultDecision;
+    } else {
+      warn(`[warden] Warning: invalid defaultDecision "${raw.defaultDecision}", ignoring
+`);
+    }
+  }
+  if (typeof raw.askOnSubshell === "boolean") {
+    config.askOnSubshell = raw.askOnSubshell;
+  }
+  if (typeof raw.notifyOnAsk === "boolean") {
+    config.notifyOnAsk = raw.notifyOnAsk;
+  }
+  if (typeof raw.notifyOnDeny === "boolean") {
+    config.notifyOnDeny = raw.notifyOnDeny;
+  }
+  if (raw.trustedContextOverrides && typeof raw.trustedContextOverrides === "object") {
+    const overrides = raw.trustedContextOverrides;
+    const layer = extractLayer(overrides);
+    if (config.trustedContextOverrides) {
+      config.trustedContextOverrides = {
+        alwaysAllow: [...layer.alwaysAllow, ...config.trustedContextOverrides.alwaysAllow],
+        alwaysDeny: [...layer.alwaysDeny, ...config.trustedContextOverrides.alwaysDeny],
+        rules: [...layer.rules, ...config.trustedContextOverrides.rules]
+      };
+    } else {
+      config.trustedContextOverrides = layer;
+    }
+  }
+}
+
+// src/evaluator.ts
+function safeRegexTest(pattern, input) {
+  try {
+    return new RegExp(pattern).test(input);
+  } catch {
+    warn(`[warden] Warning: invalid regex pattern: ${pattern}
+`);
+    return false;
+  }
+}
+function commandMatchesName(cmd, name) {
+  if (name.startsWith("/")) {
+    return cmd.originalCommand === name;
+  }
+  if (name.startsWith("~/")) {
+    return cmd.originalCommand === (0, import_os2.homedir)() + name.slice(1);
+  }
+  return cmd.command === name;
+}
+var MAX_RECURSION_DEPTH = 10;
+function evaluate(parsed, config, cwdOrDepth, maybeDepth) {
+  const cwd = typeof cwdOrDepth === "string" ? cwdOrDepth : void 0;
+  const depth = typeof cwdOrDepth === "number" ? cwdOrDepth : maybeDepth ?? 0;
+  if (depth > MAX_RECURSION_DEPTH) {
+    return { decision: "ask", reason: "Maximum recursion depth exceeded", details: [] };
+  }
+  if (parsed.parseError) {
+    return { decision: "ask", reason: "Could not parse command safely", details: [] };
+  }
+  if (parsed.commands.length === 0) {
+    return { decision: "allow", reason: "Empty command", details: [] };
+  }
+  if (parsed.hasSubshell && parsed.subshellCommands.length > 0) {
+    for (const subCmd of parsed.subshellCommands) {
+      const subParsed = parseCommand(subCmd);
+      const subResult = evaluate(subParsed, config, cwd, depth + 1);
+      if (subResult.decision === "deny") {
+        return { decision: "deny", reason: `Subshell command: ${subResult.reason}`, details: subResult.details };
+      }
+      if (subResult.decision === "ask") {
+        return { decision: "ask", reason: `Subshell command: ${subResult.reason}`, details: subResult.details };
+      }
+    }
+  } else if (parsed.hasSubshell && parsed.subshellCommands.length === 0 && config.askOnSubshell) {
+    return { decision: "ask", reason: "Command contains subshell/command substitution", details: [] };
+  }
+  const details = [];
+  for (const cmd of parsed.commands) {
+    details.push(evaluateCommand(cmd, config, cwd, depth));
+  }
+  const decisions = details.map((d) => d.decision);
+  if (decisions.includes("deny")) {
+    const denied = details.filter((d) => d.decision === "deny");
+    return {
+      decision: "deny",
+      reason: denied.map((d) => `${d.command}: ${d.reason}`).join("; "),
+      details
+    };
+  }
+  if (decisions.includes("ask")) {
+    const asked = details.filter((d) => d.decision === "ask");
+    return {
+      decision: "ask",
+      reason: asked.map((d) => `${d.command}: ${d.reason}`).join("; "),
+      details
+    };
+  }
+  return { decision: "allow", reason: "All commands are safe", details };
+}
+function evaluateCommand(cmd, config, cwd, depth = 0) {
+  const { command, args: args2 } = cmd;
+  for (const layer of config.layers) {
+    if (layer.alwaysDeny.some((name) => commandMatchesName(cmd, name))) {
+      return { command, args: args2, decision: "deny", reason: `"${command}" is blocked`, matchedRule: "alwaysDeny" };
+    }
+    if (layer.alwaysAllow.some((name) => commandMatchesName(cmd, name))) {
+      return { command, args: args2, decision: "allow", reason: `"${command}" is safe`, matchedRule: "alwaysAllow" };
+    }
+  }
+  if (cwd) {
+    const targetResult = evaluateTargetPolicies(cmd, cwd, config);
+    if (targetResult) return targetResult;
+  }
+  const remotes = config.trustedRemotes || [];
+  if (command === "ssh" || command === "scp" || command === "rsync") {
+    const sshTargets = remotes.filter((r) => r.context === "ssh");
+    if (sshTargets.length) {
+      const sshResult = evaluateSSHCommand(cmd, config, sshTargets, depth);
+      if (sshResult) return sshResult;
+    }
+  }
+  if (command === "docker") {
+    const dockerTargets = remotes.filter((r) => r.context === "docker");
+    if (dockerTargets.length) {
+      const dockerResult = evaluateDockerExec(cmd, config, dockerTargets, depth);
+      if (dockerResult) return dockerResult;
+    }
+  }
+  if (command === "kubectl") {
+    const kubectlTargets = remotes.filter((r) => r.context === "kubectl");
+    if (kubectlTargets.length) {
+      const kubectlResult = evaluateKubectlExec(cmd, config, kubectlTargets, depth);
+      if (kubectlResult) return kubectlResult;
+    }
+  }
+  if (command === "sprite") {
+    const spriteTargets = remotes.filter((r) => r.context === "sprite");
+    if (spriteTargets.length) {
+      const spriteResult = evaluateSpriteExec(cmd, config, spriteTargets, depth);
+      if (spriteResult) return spriteResult;
+    }
+  }
+  if (command === "fly" || command === "flyctl") {
+    const flyTargets = remotes.filter((r) => r.context === "fly");
+    if (flyTargets.length) {
+      const flyResult = evaluateFlyCommand(cmd, config, flyTargets, depth);
+      if (flyResult) return flyResult;
+    }
+  }
+  if (command === "xargs") {
+    return evaluateXargsCommand(cmd, config, cwd, depth);
+  }
+  if (command === "find") {
+    return evaluateFindCommand(cmd, config, cwd, depth);
+  }
+  const mergedRule = collectMergedRule(cmd, config);
+  if (mergedRule) {
+    return evaluateRule(cmd, mergedRule);
+  }
+  return { command, args: args2, decision: config.defaultDecision, reason: `No rule for "${command}"`, matchedRule: "default" };
+}
+function collectMergedRule(cmd, config) {
+  const matchingRules = [];
+  for (const layer of config.layers) {
+    const rule = layer.rules.find((r) => commandMatchesName(cmd, r.command));
+    if (rule) {
+      matchingRules.push(rule);
+      if (rule.override) break;
+    }
+  }
+  if (matchingRules.length === 0) return null;
+  if (matchingRules.length === 1) return matchingRules[0];
+  const mergedPatterns = [];
+  for (const rule of matchingRules) {
+    if (rule.argPatterns) {
+      mergedPatterns.push(...rule.argPatterns);
+    }
+  }
+  return {
+    command: matchingRules[0].command,
+    default: matchingRules[0].default,
+    argPatterns: mergedPatterns
+  };
+}
+function evaluateRule(cmd, rule) {
+  const { command, args: args2 } = cmd;
+  const argsJoined = args2.join(" ");
+  for (const pattern of rule.argPatterns || []) {
+    const m = pattern.match;
+    let matched = true;
+    if (m.noArgs !== void 0) {
+      matched = matched && m.noArgs === (args2.length === 0);
+    }
+    if (m.argsMatch && matched) {
+      matched = m.argsMatch.some((re) => safeRegexTest(re, argsJoined));
+    }
+    if (m.anyArgMatches && matched) {
+      matched = args2.some((arg) => m.anyArgMatches.some((re) => safeRegexTest(re, arg)));
+    }
+    if (m.argCount && matched) {
+      if (m.argCount.min !== void 0) matched = matched && args2.length >= m.argCount.min;
+      if (m.argCount.max !== void 0) matched = matched && args2.length <= m.argCount.max;
+    }
+    if (m.not) matched = !matched;
+    if (matched) {
+      return {
+        command,
+        args: args2,
+        decision: pattern.decision,
+        reason: pattern.reason || pattern.description || `Matched pattern for "${command}"`,
+        matchedRule: `${command}:argPattern`
+      };
+    }
+  }
+  return {
+    command,
+    args: args2,
+    decision: rule.default,
+    reason: `Default for "${command}"`,
+    matchedRule: `${command}:default`
+  };
+}
+var XARGS_SHORT_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set(["E", "I", "L", "n", "P", "s", "S", "d", "a"]);
+var XARGS_SHORT_FLAGS_NO_VALUE = /* @__PURE__ */ new Set(["0", "e", "o", "p", "r", "t", "x"]);
+var XARGS_LONG_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
+  "--eof",
+  "--replace",
+  "--max-lines",
+  "--max-args",
+  "--max-procs",
+  "--max-chars",
+  "--arg-file",
+  "--delimiter"
+]);
+var XARGS_LONG_FLAGS_NO_VALUE = /* @__PURE__ */ new Set([
+  "--null",
+  "--exit",
+  "--open-tty",
+  "--interactive",
+  "--no-run-if-empty",
+  "--verbose",
+  "--show-limits"
+]);
+function parseXargsSubcommand(args2) {
+  let i = 0;
+  while (i < args2.length) {
+    const arg = args2[i];
+    if (arg === "--") {
+      i++;
+      break;
+    }
+    if (!arg.startsWith("-") || arg === "-") {
+      break;
+    }
+    if (arg.startsWith("--")) {
+      const eqIndex = arg.indexOf("=");
+      const longFlag = eqIndex === -1 ? arg : arg.slice(0, eqIndex);
+      if (XARGS_LONG_FLAGS_WITH_VALUE.has(longFlag)) {
+        if (eqIndex !== -1) {
+          i++;
+          continue;
+        }
+        if (i + 1 >= args2.length) return { subcommand: null, unresolved: true };
+        i += 2;
+        continue;
+      }
+      if (XARGS_LONG_FLAGS_NO_VALUE.has(longFlag)) {
+        i++;
+        continue;
+      }
+      return { subcommand: null, unresolved: true };
+    }
+    const short = arg[1];
+    if (XARGS_SHORT_FLAGS_WITH_VALUE.has(short)) {
+      if (arg.length > 2) {
+        i++;
+        continue;
+      }
+      if (i + 1 >= args2.length) return { subcommand: null, unresolved: true };
+      i += 2;
+      continue;
+    }
+    const grouped = arg.slice(1).split("");
+    const allKnownNoValue = grouped.every((ch) => XARGS_SHORT_FLAGS_NO_VALUE.has(ch));
+    if (allKnownNoValue) {
+      i++;
+      continue;
+    }
+    return { subcommand: null, unresolved: true };
+  }
+  if (i >= args2.length) {
+    return {
+      unresolved: false,
+      subcommand: {
+        command: "echo",
+        originalCommand: "echo",
+        args: [],
+        envPrefixes: [],
+        raw: "echo"
+      }
+    };
+  }
+  const subcommand = args2[i];
+  const subArgs = args2.slice(i + 1);
+  return {
+    unresolved: false,
+    subcommand: {
+      command: subcommand,
+      originalCommand: subcommand,
+      args: subArgs,
+      envPrefixes: [],
+      raw: [subcommand, ...subArgs].join(" ")
+    }
+  };
+}
+function evaluateXargsCommand(cmd, config, cwd, depth = 0) {
+  const { command, args: args2 } = cmd;
+  const { subcommand, unresolved } = parseXargsSubcommand(args2);
+  if (unresolved || !subcommand) {
+    return {
+      command,
+      args: args2,
+      decision: "ask",
+      reason: "xargs subcommand could not be resolved safely",
+      matchedRule: "xargs:subcommand"
+    };
+  }
+  const isShellExec = (subcommand.command === "sh" || subcommand.command === "bash" || subcommand.command === "zsh") && subcommand.args.length >= 2 && subcommand.args[0] === "-c";
+  let parsed;
+  if (isShellExec) {
+    const innerResult = parseCommand(subcommand.args[1]);
+    if (innerResult.parseError) {
+      parsed = { commands: [subcommand], hasSubshell: false, subshellCommands: [], parseError: false };
+    } else {
+      parsed = innerResult;
+    }
+  } else {
+    parsed = { commands: [subcommand], hasSubshell: false, subshellCommands: [], parseError: false };
+  }
+  const result = evaluate(parsed, config, cwd, depth + 1);
+  return {
+    command,
+    args: args2,
+    decision: result.decision,
+    reason: `xargs subcommand "${subcommand.command}": ${result.reason}`,
+    matchedRule: "xargs:subcommand"
+  };
 }
-var USER_CONFIG_PATHS = [
-  (0, import_path3.join)((0, import_os2.homedir)(), ".claude", "warden.yaml"),
-  (0, import_path3.join)((0, import_os2.homedir)(), ".claude", "warden.json")
-];
-var PROJECT_CONFIG_NAMES = [
-  ".claude/warden.yaml",
-  ".claude/warden.json"
-];
-function loadConfig(cwd) {
-  const config = structuredClone(DEFAULT_CONFIG);
-  const defaultLayer = config.layers[0];
-  let userLayer = null;
-  let userRaw = null;
-  for (const configPath of USER_CONFIG_PATHS) {
-    const result = tryLoadFile(configPath);
-    if (result) {
-      userLayer = extractLayer(result);
-      userRaw = result;
+function parseFindExecCommands(args2) {
+  const commands = [];
+  let i = 0;
+  while (i < args2.length) {
+    if (args2[i] === "-exec" || args2[i] === "-execdir") {
+      i++;
+      const cmdArgs = [];
+      while (i < args2.length && args2[i] !== ";" && args2[i] !== "+") {
+        if (args2[i] !== "{}") {
+          cmdArgs.push(args2[i]);
+        }
+        i++;
+      }
+      i++;
+      if (cmdArgs.length > 0) {
+        commands.push({
+          command: cmdArgs[0],
+          originalCommand: cmdArgs[0],
+          args: cmdArgs.slice(1),
+          envPrefixes: [],
+          raw: cmdArgs.join(" ")
+        });
+      }
+    } else {
+      i++;
+    }
+  }
+  return commands;
+}
+function evaluateFindCommand(cmd, config, cwd, depth = 0) {
+  const { command, args: args2 } = cmd;
+  if (args2.some((a) => a === "-delete")) {
+    return { command, args: args2, decision: "ask", reason: "find -delete can remove files", matchedRule: "find:delete" };
+  }
+  if (args2.some((a) => a === "-ok" || a === "-okdir")) {
+    return { command, args: args2, decision: "ask", reason: "find -ok/-okdir can execute commands interactively", matchedRule: "find:ok" };
+  }
+  const execCommands = parseFindExecCommands(args2);
+  if (execCommands.length === 0) {
+    return { command, args: args2, decision: "allow", reason: "find without dangerous flags", matchedRule: "find:safe" };
+  }
+  for (const execCmd of execCommands) {
+    const parsed = {
+      commands: [execCmd],
+      hasSubshell: false,
+      subshellCommands: [],
+      parseError: false
+    };
+    const result = evaluate(parsed, config, cwd, depth + 1);
+    if (result.decision === "deny") {
+      return { command, args: args2, decision: "deny", reason: `find -exec: ${result.reason}`, matchedRule: "find:exec" };
+    }
+    if (result.decision === "ask") {
+      return { command, args: args2, decision: "ask", reason: `find -exec: ${result.reason}`, matchedRule: "find:exec" };
+    }
+  }
+  return { command, args: args2, decision: "allow", reason: "find -exec commands are safe", matchedRule: "find:exec" };
+}
+var SSH_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
+  "-b",
+  "-c",
+  "-D",
+  "-E",
+  "-e",
+  "-F",
+  "-I",
+  "-i",
+  "-J",
+  "-L",
+  "-l",
+  "-m",
+  "-O",
+  "-o",
+  "-p",
+  "-Q",
+  "-R",
+  "-S",
+  "-W",
+  "-w"
+]);
+function findMatchingTarget(value, targets) {
+  return targets.find((t) => globToRegex(t.name).test(value)) || null;
+}
+function parseSSHArgs(args2) {
+  let host = null;
+  const remoteArgs = [];
+  let i = 0;
+  while (i < args2.length) {
+    const arg = args2[i];
+    if (SSH_FLAGS_WITH_VALUE.has(arg)) {
+      i += 2;
+      continue;
+    }
+    if (arg.startsWith("-")) {
+      i++;
+      continue;
+    }
+    if (!host) {
+      host = arg.includes("@") ? arg.split("@").pop() : arg;
+      i++;
+      while (i < args2.length) {
+        remoteArgs.push(args2[i]);
+        i++;
+      }
       break;
     }
-  }
-  let workspaceLayer = null;
-  let workspaceRaw = null;
-  if (cwd) {
-    for (const name of PROJECT_CONFIG_NAMES) {
-      const result = tryLoadFile((0, import_path3.join)(cwd, name));
-      if (result) {
-        workspaceLayer = extractLayer(result);
-        workspaceRaw = result;
-        break;
+    i++;
+  }
+  return {
+    host,
+    remoteCommand: remoteArgs.length > 0 ? remoteArgs.map(shellQuote).join(" ") : null
+  };
+}
+function extractHostFromRemotePath(args2) {
+  for (const arg of args2) {
+    const match = arg.match(/^(?:[^@]+@)?([^:]+):/);
+    if (match) return match[1];
+  }
+  return null;
+}
+function evaluateSSHCommand(cmd, config, targets, depth = 0) {
+  const { command, args: args2 } = cmd;
+  if (command === "scp" || command === "rsync") {
+    const host2 = extractHostFromRemotePath(args2);
+    if (!host2) return null;
+    const target2 = findMatchingTarget(host2, targets);
+    if (!target2) return null;
+    if (target2.allowAll || !target2.overrides) {
+      return {
+        command,
+        args: args2,
+        decision: "allow",
+        reason: `Trusted SSH host "${host2}"${target2.allowAll ? " (allowAll)" : ""}`,
+        matchedRule: "trustedSSHHosts"
+      };
+    }
+    if (target2.overrides.alwaysDeny.some((name) => name === command)) {
+      return {
+        command,
+        args: args2,
+        decision: "deny",
+        reason: `Trusted SSH host "${host2}": "${command}" blocked by overrides`,
+        matchedRule: "trustedSSHHosts"
+      };
+    }
+    return {
+      command,
+      args: args2,
+      decision: "allow",
+      reason: `Trusted SSH host "${host2}"`,
+      matchedRule: "trustedSSHHosts"
+    };
+  }
+  const { host, remoteCommand } = parseSSHArgs(args2);
+  if (!host) return null;
+  const target = findMatchingTarget(host, targets);
+  if (!target) return null;
+  if (!remoteCommand) {
+    return {
+      command,
+      args: args2,
+      decision: "allow",
+      reason: `Trusted SSH host "${host}" (interactive)`,
+      matchedRule: "trustedSSHHosts"
+    };
+  }
+  if (target.allowAll) {
+    return {
+      command,
+      args: args2,
+      decision: "allow",
+      reason: `Trusted SSH host "${host}" (allowAll)`,
+      matchedRule: "trustedSSHHosts"
+    };
+  }
+  const parsed = parseCommand(remoteCommand);
+  const result = evaluate(parsed, configWithContextOverrides(config, target), depth + 1);
+  return {
+    command,
+    args: args2,
+    decision: result.decision,
+    reason: `Trusted SSH host "${host}": ${result.reason}`,
+    matchedRule: "trustedSSHHosts"
+  };
+}
+var DOCKER_EXEC_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
+  "-e",
+  "--env",
+  "--env-file",
+  "-u",
+  "--user",
+  "-w",
+  "--workdir",
+  "--detach-keys"
+]);
+var INTERACTIVE_SHELLS = /* @__PURE__ */ new Set(["bash", "sh", "zsh"]);
+function shellQuote(arg) {
+  if (/[\s"'\\$`!#&|;()<>]/.test(arg)) {
+    return `'${arg.replace(/'/g, "'\\''")}'`;
+  }
+  return arg;
+}
+function configWithContextOverrides(config, target) {
+  const overrideLayers = [];
+  if (target?.overrides) overrideLayers.push(target.overrides);
+  if (config.trustedContextOverrides) overrideLayers.push(config.trustedContextOverrides);
+  if (overrideLayers.length === 0) return config;
+  return {
+    ...config,
+    layers: [...overrideLayers, ...config.layers]
+  };
+}
+function evaluateRemoteCommand(remoteArgs, config, target, depth = 0) {
+  if (target?.allowAll) {
+    return { decision: "allow", reason: "allowAll target", details: [] };
+  }
+  const overriddenConfig = configWithContextOverrides(config, target);
+  if (remoteArgs.length === 0) {
+    return { decision: "allow", reason: "interactive", details: [] };
+  }
+  const remoteCmd = remoteArgs[0];
+  if (INTERACTIVE_SHELLS.has(remoteCmd) && remoteArgs.length === 1) {
+    return { decision: "allow", reason: "interactive shell", details: [] };
+  }
+  if (INTERACTIVE_SHELLS.has(remoteCmd) && remoteArgs[1] === "-c" && remoteArgs.length >= 3) {
+    const innerCommand = remoteArgs.slice(2).join(" ");
+    const parsed2 = parseCommand(innerCommand);
+    return evaluate(parsed2, overriddenConfig, depth + 1);
+  }
+  const parsed = {
+    commands: [{ command: remoteCmd, originalCommand: remoteCmd, args: remoteArgs.slice(1), envPrefixes: [], raw: remoteArgs.join(" ") }],
+    hasSubshell: false,
+    subshellCommands: [],
+    parseError: false
+  };
+  return evaluate(parsed, overriddenConfig, depth + 1);
+}
+function parseDockerExecArgs(args2) {
+  let target = null;
+  const remoteArgs = [];
+  let i = 0;
+  while (i < args2.length) {
+    const arg = args2[i];
+    if (DOCKER_EXEC_FLAGS_WITH_VALUE.has(arg)) {
+      i += 2;
+      continue;
+    }
+    if (arg.startsWith("-")) {
+      i++;
+      continue;
+    }
+    if (!target) {
+      target = arg;
+      i++;
+      while (i < args2.length) {
+        remoteArgs.push(args2[i]);
+        i++;
       }
+      break;
     }
+    i++;
   }
-  config.layers = [
-    ...workspaceLayer ? [workspaceLayer] : [],
-    ...userLayer ? [userLayer] : [],
-    defaultLayer
-  ];
-  if (userRaw) mergeNonLayerFields(config, userRaw);
-  if (workspaceRaw) mergeNonLayerFields(config, workspaceRaw);
-  return config;
+  return { target, remoteArgs };
 }
-function tryLoadFile(filePath) {
-  if (!(0, import_fs.existsSync)(filePath)) return null;
-  try {
-    const raw = (0, import_fs.readFileSync)(filePath, "utf-8");
-    const parsed = filePath.endsWith(".yaml") || filePath.endsWith(".yml") ? (0, import_yaml.parse)(raw) : JSON.parse(raw);
-    if (parsed && typeof parsed === "object") {
-      return parsed;
+function evaluateDockerExec(cmd, config, targets, depth = 0) {
+  const { command, args: args2 } = cmd;
+  if (args2[0] !== "exec") return null;
+  const { target: containerName, remoteArgs } = parseDockerExecArgs(args2.slice(1));
+  if (!containerName) return null;
+  const matched = findMatchingTarget(containerName, targets);
+  if (!matched) return null;
+  const result = evaluateRemoteCommand(remoteArgs, config, matched, depth);
+  return {
+    command,
+    args: args2,
+    decision: result.decision,
+    reason: `Trusted Docker container "${containerName}" (${result.reason})`,
+    matchedRule: "trustedDockerContainers"
+  };
+}
+var KUBECTL_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
+  "-n",
+  "--namespace",
+  "-c",
+  "--container",
+  "--context",
+  "--cluster",
+  "--kubeconfig",
+  "-s",
+  "--server",
+  "--token",
+  "--user",
+  "--as",
+  "--as-group",
+  "--certificate-authority",
+  "--client-certificate",
+  "--client-key",
+  "-l",
+  "--selector",
+  "-f",
+  "--filename",
+  "--cache-dir",
+  "--request-timeout",
+  "-o",
+  "--output"
+]);
+function parseKubectlExecArgs(args2) {
+  let context = null;
+  let pod = null;
+  const remoteArgs = [];
+  let i = 0;
+  while (i < args2.length) {
+    const arg = args2[i];
+    if (arg === "--") {
+      i++;
+      while (i < args2.length) {
+        remoteArgs.push(args2[i]);
+        i++;
+      }
+      break;
     }
-  } catch (err) {
-    process.stderr.write(`[warden] Warning: failed to parse config ${filePath}: ${err instanceof Error ? err.message : String(err)}
-`);
+    if (arg.startsWith("--") && arg.includes("=")) {
+      if (arg.startsWith("--context=")) {
+        context = arg.split("=")[1];
+      }
+      i++;
+      continue;
+    }
+    if (KUBECTL_FLAGS_WITH_VALUE.has(arg)) {
+      if (arg === "--context") context = args2[i + 1] || null;
+      i += 2;
+      continue;
+    }
+    if (arg.startsWith("-")) {
+      i++;
+      continue;
+    }
+    if (!pod) {
+      pod = arg;
+    }
+    i++;
   }
-  return null;
+  return { context, pod, remoteArgs };
+}
+function evaluateKubectlExec(cmd, config, targets, depth = 0) {
+  const { command, args: args2 } = cmd;
+  if (args2[0] !== "exec") return null;
+  const { context, pod, remoteArgs } = parseKubectlExecArgs(args2.slice(1));
+  if (!context) return null;
+  const matched = findMatchingTarget(context, targets);
+  if (!matched) return null;
+  const result = evaluateRemoteCommand(remoteArgs, config, matched, depth);
+  return {
+    command,
+    args: args2,
+    decision: result.decision,
+    reason: `Trusted kubectl context "${context}"${pod ? `, pod "${pod}"` : ""} (${result.reason})`,
+    matchedRule: "trustedKubectlContexts"
+  };
 }
-var KNOWN_COMMANDS = /* @__PURE__ */ new Set([
-  ...DEFAULT_CONFIG.layers[0].alwaysAllow,
-  ...DEFAULT_CONFIG.layers[0].alwaysDeny,
-  ...DEFAULT_CONFIG.layers[0].rules.map((r) => r.command)
+var SPRITE_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
+  "-o",
+  "--org",
+  "-s",
+  "--sprite"
 ]);
-function warnArgPatternCommandMismatch(rule) {
-  if (!Array.isArray(rule.argPatterns)) return;
-  for (const pattern of rule.argPatterns) {
-    const matchers = [
-      ...pattern.match?.anyArgMatches || [],
-      ...pattern.match?.argsMatch || []
-    ];
-    for (const m of matchers) {
-      const literals = extractLiteralsFromPattern(m);
-      for (const lit of literals) {
-        if (lit !== rule.command && KNOWN_COMMANDS.has(lit)) {
-          process.stderr.write(
-            `[warden] Warning: rule for "${rule.command}" has argPattern matching "${lit}" \u2014 this won't work as expected. Rules are matched by the command being run, not its arguments. If you want to control "${lit}", add a separate rule with command: "${lit}".
-`
-          );
-        }
+function parseSpriteExecArgs(args2) {
+  let spriteName = null;
+  const remoteArgs = [];
+  let foundExec = false;
+  let i = 0;
+  while (i < args2.length) {
+    const arg = args2[i];
+    if (arg.startsWith("--") && arg.includes("=")) {
+      if (arg.startsWith("--sprite=")) {
+        spriteName = arg.split("=")[1];
+      }
+      i++;
+      continue;
+    }
+    if (SPRITE_FLAGS_WITH_VALUE.has(arg)) {
+      if (arg === "-s" || arg === "--sprite") {
+        spriteName = args2[i + 1] || null;
+      }
+      i += 2;
+      continue;
+    }
+    if (arg === "--debug") {
+      i++;
+      continue;
+    }
+    if (arg.startsWith("-")) {
+      i++;
+      continue;
+    }
+    if (!foundExec) {
+      if (arg === "exec" || arg === "x" || arg === "console" || arg === "c") {
+        foundExec = true;
+        i++;
+        continue;
       }
+      return { spriteName: null, remoteArgs: [] };
     }
+    while (i < args2.length) {
+      remoteArgs.push(args2[i]);
+      i++;
+    }
+    break;
   }
+  return { spriteName, remoteArgs };
 }
-function extractLiteralsFromPattern(pattern) {
-  let cleaned = pattern.replace(/^\^?\(?(.*?)\)?\$?$/, "$1");
-  return cleaned.split("|").map((s) => s.trim()).filter((s) => /^[a-z][a-z0-9_-]*$/i.test(s));
+function evaluateSpriteExec(cmd, config, targets, depth = 0) {
+  const { command, args: args2 } = cmd;
+  const { spriteName, remoteArgs } = parseSpriteExecArgs(args2);
+  if (!spriteName) return null;
+  const matched = findMatchingTarget(spriteName, targets);
+  if (!matched) return null;
+  const result = evaluateRemoteCommand(remoteArgs, config, matched, depth);
+  return {
+    command,
+    args: args2,
+    decision: result.decision,
+    reason: `Trusted sprite "${spriteName}" (${result.reason})`,
+    matchedRule: "trustedSprites"
+  };
 }
-function extractLayer(raw) {
-  const rules = Array.isArray(raw.rules) ? raw.rules : [];
-  for (const rule of rules) {
-    if (rule && typeof rule === "object") {
-      if (rule.default && !isValidDecision(rule.default)) {
-        process.stderr.write(`[warden] Warning: invalid rule default "${rule.default}" for "${rule.command}", using "ask"
-`);
-        rule.default = "ask";
+var FLY_SSH_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
+  "-a",
+  "--app",
+  "-C",
+  "--command",
+  "-o",
+  "--org",
+  "-r",
+  "--region",
+  "-u",
+  "--user",
+  "--address"
+]);
+function parseFlySSHArgs(args2) {
+  let app = null;
+  const remoteArgs = [];
+  let isSSH = false;
+  let foundConsole = false;
+  let i = 0;
+  while (i < args2.length) {
+    const arg = args2[i];
+    if (arg.startsWith("--app=")) {
+      app = arg.slice(6);
+      i++;
+      continue;
+    }
+    if (FLY_SSH_FLAGS_WITH_VALUE.has(arg)) {
+      if (arg === "-a" || arg === "--app") {
+        app = args2[i + 1] || null;
       }
-      if (Array.isArray(rule.argPatterns)) {
-        for (const pattern of rule.argPatterns) {
-          if (pattern?.decision && !isValidDecision(pattern.decision)) {
-            process.stderr.write(`[warden] Warning: invalid pattern decision "${pattern.decision}" for "${rule.command}", using "ask"
-`);
-            pattern.decision = "ask";
+      if ((arg === "-C" || arg === "--command") && foundConsole) {
+        const cmdValue = args2[i + 1];
+        if (cmdValue) {
+          const parsed = parseCommand(cmdValue);
+          if (!parsed.parseError && parsed.commands.length > 0) {
+            const cmd = parsed.commands[0];
+            remoteArgs.push(cmd.command, ...cmd.args);
           }
         }
+        i += 2;
+        continue;
       }
-      warnArgPatternCommandMismatch(rule);
+      i += 2;
+      continue;
     }
-  }
-  return {
-    alwaysAllow: Array.isArray(raw.alwaysAllow) ? raw.alwaysAllow : [],
-    alwaysDeny: Array.isArray(raw.alwaysDeny) ? raw.alwaysDeny : [],
-    rules
-  };
-}
-function parseTrustedList(raw) {
-  return raw.map((entry) => {
-    if (typeof entry === "string") return { name: entry };
-    if (entry && typeof entry === "object" && "name" in entry) {
-      const obj = entry;
-      const target = { name: String(obj.name) };
-      if (obj.allowAll === true) target.allowAll = true;
-      if (obj.overrides && typeof obj.overrides === "object") {
-        target.overrides = extractLayer(obj.overrides);
+    if (arg === "--") {
+      i++;
+      while (i < args2.length) {
+        remoteArgs.push(args2[i]);
+        i++;
       }
-      return target;
+      break;
     }
-    return null;
-  }).filter((t) => t !== null);
-}
-var VALID_REMOTE_CONTEXTS = /* @__PURE__ */ new Set(["ssh", "docker", "kubectl", "sprite", "fly"]);
-function parseTrustedRemotes(raw) {
-  const results = [];
-  for (const entry of raw) {
-    if (!entry || typeof entry !== "object") continue;
-    const obj = entry;
-    const context = String(obj.context || "");
-    if (!VALID_REMOTE_CONTEXTS.has(context)) {
-      process.stderr.write(`[warden] Warning: unknown remote context "${context}", skipping
-`);
+    if (arg.startsWith("-")) {
+      i++;
       continue;
     }
-    const name = String(obj.name || "");
-    if (!name) continue;
-    const remote = { name, context };
-    if (obj.allowAll === true) remote.allowAll = true;
-    if (obj.overrides && typeof obj.overrides === "object") {
-      remote.overrides = extractLayer(obj.overrides);
+    if (!isSSH && arg === "ssh") {
+      isSSH = true;
+      i++;
+      continue;
     }
-    results.push(remote);
-  }
-  return results;
-}
-function parseTargetPolicies(raw) {
-  const results = [];
-  for (const entry of raw) {
-    if (!entry || typeof entry !== "object") continue;
-    const obj = entry;
-    const type = String(obj.type || "");
-    const rawDecision = String(obj.decision || "allow");
-    const decision = isValidDecision(rawDecision) ? rawDecision : "allow";
-    const base = {
-      commands: Array.isArray(obj.commands) ? obj.commands.map(String) : void 0,
-      decision,
-      reason: obj.reason ? String(obj.reason) : void 0,
-      allowAll: obj.allowAll === true ? true : void 0
-    };
-    switch (type) {
-      case "path": {
-        const path = String(obj.path || "");
-        if (!path) continue;
-        const policy = { ...base, type: "path", path };
-        if (obj.recursive === false) policy.recursive = false;
-        results.push(policy);
-        break;
-      }
-      case "database": {
-        const host = String(obj.host || "");
-        if (!host) continue;
-        const policy = { ...base, type: "database", host };
-        if (typeof obj.port === "number") policy.port = obj.port;
-        if (obj.database) policy.database = String(obj.database);
-        results.push(policy);
-        break;
-      }
-      case "endpoint": {
-        const pattern = String(obj.pattern || "");
-        if (!pattern) continue;
-        results.push({ ...base, type: "endpoint", pattern });
-        break;
-      }
-      default:
-        process.stderr.write(`[warden] Warning: unknown target policy type "${type}", skipping
-`);
+    if (isSSH && !foundConsole && (arg === "console" || arg === "sftp")) {
+      foundConsole = true;
+      i++;
+      continue;
     }
+    i++;
   }
-  return results;
+  return { app, remoteArgs, isSSH: isSSH && foundConsole };
 }
-function parseLegacyPaths(raw) {
-  const results = [];
-  for (const e of raw) {
-    if (!e || typeof e !== "object") continue;
-    const obj = e;
-    const decision = String(obj.decision || "allow");
-    if (!isValidDecision(decision)) continue;
-    const path = String(obj.path || "");
-    if (!path) continue;
-    const tp = { type: "path", path, decision };
-    if (obj.recursive === false) tp.recursive = false;
-    if (Array.isArray(obj.commands)) tp.commands = obj.commands.map(String);
-    if (obj.reason) tp.reason = String(obj.reason);
-    results.push(tp);
-  }
-  return results;
+function evaluateFlyCommand(cmd, config, targets, depth = 0) {
+  const { command, args: args2 } = cmd;
+  const { app, remoteArgs, isSSH } = parseFlySSHArgs(args2);
+  if (!isSSH) return null;
+  if (!app) return null;
+  const matched = findMatchingTarget(app, targets);
+  if (!matched) return null;
+  const result = evaluateRemoteCommand(remoteArgs, config, matched, depth);
+  return {
+    command,
+    args: args2,
+    decision: result.decision,
+    reason: `Trusted Fly app "${app}" (${result.reason})`,
+    matchedRule: "trustedFlyApps"
+  };
 }
-function parseLegacyDatabases(raw) {
-  const results = [];
-  for (const e of raw) {
-    if (!e || typeof e !== "object") continue;
-    const obj = e;
-    const decision = String(obj.decision || "allow");
-    if (!isValidDecision(decision)) continue;
-    const host = String(obj.host || "");
-    if (!host) continue;
-    const td = { type: "database", host, decision };
-    if (typeof obj.port === "number") td.port = obj.port;
-    if (obj.database) td.database = String(obj.database);
-    if (Array.isArray(obj.commands)) td.commands = obj.commands.map(String);
-    if (obj.reason) td.reason = String(obj.reason);
-    results.push(td);
-  }
-  return results;
+
+// src/core.ts
+function wardenEvalWithConfig(command, config, cwd) {
+  const parsed = parseCommand(command);
+  return evaluate(parsed, config, cwd);
 }
-function parseLegacyEndpoints(raw) {
-  const results = [];
-  for (const e of raw) {
-    if (!e || typeof e !== "object") continue;
-    const obj = e;
-    const decision = String(obj.decision || "allow");
-    if (!isValidDecision(decision)) continue;
-    const pattern = String(obj.pattern || "");
-    if (!pattern) continue;
-    const te = { type: "endpoint", pattern, decision };
-    if (Array.isArray(obj.commands)) te.commands = obj.commands.map(String);
-    if (obj.reason) te.reason = String(obj.reason);
-    results.push(te);
-  }
-  return results;
+
+// src/codex.ts
+function toCodexDecision(decision) {
+  if (decision === "allow") return "allow";
+  if (decision === "ask") return "prompt";
+  return "forbidden";
 }
-var LEGACY_REMOTE_MAP = {
-  trustedSSHHosts: "ssh",
-  trustedDockerContainers: "docker",
-  trustedKubectlContexts: "kubectl",
-  trustedSprites: "sprite",
-  trustedFlyApps: "fly"
-};
-function mergeNonLayerFields(config, raw) {
-  if (Array.isArray(raw.trustedRemotes)) {
-    config.trustedRemotes = [...config.trustedRemotes || [], ...parseTrustedRemotes(raw.trustedRemotes)];
-  }
-  if (Array.isArray(raw.targetPolicies)) {
-    config.targetPolicies = [...config.targetPolicies || [], ...parseTargetPolicies(raw.targetPolicies)];
-  }
-  for (const [key, context] of Object.entries(LEGACY_REMOTE_MAP)) {
-    if (Array.isArray(raw[key])) {
-      const remotes = parseTrustedList(raw[key]).map((t) => ({ ...t, context }));
-      config.trustedRemotes = [...config.trustedRemotes || [], ...remotes];
-    }
-  }
-  if (Array.isArray(raw.trustedPaths)) {
-    config.targetPolicies = [...config.targetPolicies || [], ...parseLegacyPaths(raw.trustedPaths)];
-  }
-  if (Array.isArray(raw.trustedDatabases)) {
-    config.targetPolicies = [...config.targetPolicies || [], ...parseLegacyDatabases(raw.trustedDatabases)];
-  }
-  if (Array.isArray(raw.trustedEndpoints)) {
-    config.targetPolicies = [...config.targetPolicies || [], ...parseLegacyEndpoints(raw.trustedEndpoints)];
-  }
-  if (typeof raw.defaultDecision === "string") {
-    if (isValidDecision(raw.defaultDecision)) {
-      config.defaultDecision = raw.defaultDecision;
-    } else {
-      process.stderr.write(`[warden] Warning: invalid defaultDecision "${raw.defaultDecision}", ignoring
-`);
-    }
-  }
-  if (typeof raw.askOnSubshell === "boolean") {
-    config.askOnSubshell = raw.askOnSubshell;
-  }
-  if (typeof raw.notifyOnAsk === "boolean") {
-    config.notifyOnAsk = raw.notifyOnAsk;
+function quote(value) {
+  return JSON.stringify(value);
+}
+function collectCandidateCommands(config) {
+  const names = /* @__PURE__ */ new Set();
+  for (const layer of config.layers) {
+    for (const name of layer.alwaysAllow) names.add(name);
+    for (const name of layer.alwaysDeny) names.add(name);
+    for (const rule of layer.rules) names.add(rule.command);
   }
-  if (typeof raw.notifyOnDeny === "boolean") {
-    config.notifyOnDeny = raw.notifyOnDeny;
+  return [...names].map((n) => n.trim()).filter((n) => n.length > 0 && !/\s/.test(n)).sort();
+}
+function buildCodexRuleRecords(config) {
+  const records = [];
+  for (const command of collectCandidateCommands(config)) {
+    const result = wardenEvalWithConfig(command, config);
+    records.push({
+      command,
+      decision: result.decision,
+      reason: result.reason
+    });
   }
-  if (raw.trustedContextOverrides && typeof raw.trustedContextOverrides === "object") {
-    const overrides = raw.trustedContextOverrides;
-    const layer = extractLayer(overrides);
-    if (config.trustedContextOverrides) {
-      config.trustedContextOverrides = {
-        alwaysAllow: [...layer.alwaysAllow, ...config.trustedContextOverrides.alwaysAllow],
-        alwaysDeny: [...layer.alwaysDeny, ...config.trustedContextOverrides.alwaysDeny],
-        rules: [...layer.rules, ...config.trustedContextOverrides.rules]
-      };
-    } else {
-      config.trustedContextOverrides = layer;
-    }
+  return records;
+}
+function generateCodexRules(config) {
+  const lines = [
+    "# Generated by claude-warden.",
+    "# Regenerate with: pnpm codex:export-rules",
+    ""
+  ];
+  for (const record of buildCodexRuleRecords(config)) {
+    lines.push(
+      `prefix_rule(pattern = [${quote(record.command)}], decision = ${quote(toCodexDecision(record.decision))}, justification = ${quote(`Warden: ${record.reason}`)})`
+    );
   }
+  lines.push("");
+  return lines.join("\n");
 }
 
 // src/codex-export.ts
+setQuiet(false);
 function parseArgs(argv) {
   let cwd = process.cwd();
   let outPath = null;