npm - claude-warden - Versions diffs - 2.3.2 → 2.4.1 - Mend

claude-warden 2.3.2 → 2.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/.claude-plugin/marketplace.json +1 -1
package/.claude-plugin/plugin.json +1 -1
package/.github/hooks/warden.json +12 -0
package/README.md +58 -1
package/dist/cli.cjs +20684 -0
package/dist/codex-export.cjs +1274 -1289
package/dist/copilot.cjs +20653 -0
package/dist/index.cjs +1233 -1255
package/package.json +9 -2

package/dist/index.cjs CHANGED Viewed

@@ -12481,7 +12481,7 @@ var require_log = __commonJS({
       if (logLevel === "debug")
         console.log(...messages);
     }
-    function warn(logLevel, warning) {
+    function warn2(logLevel, warning) {
       if (logLevel === "debug" || logLevel === "warn") {
         if (typeof node_process.emitWarning === "function")
           node_process.emitWarning(warning);
@@ -12490,7 +12490,7 @@ var require_log = __commonJS({
       }
     }
     exports2.debug = debug;
-    exports2.warn = warn;
+    exports2.warn = warn2;
   }
 });
@@ -18450,7 +18450,7 @@ function regexFallbackParse(input) {
 }
 // src/evaluator.ts
-var import_os = require("os");
+var import_os2 = require("os");
 // src/targets.ts
 var import_path2 = require("path");
@@ -18728,984 +18728,152 @@ function evaluateTargetPolicies(cmd, cwd, config) {
   return results[0];
 }
-// src/evaluator.ts
-function safeRegexTest(pattern, input) {
-  try {
-    return new RegExp(pattern).test(input);
-  } catch {
-    process.stderr.write(`[warden] Warning: invalid regex pattern: ${pattern}
-`);
-    return false;
-  }
-}
-function commandMatchesName(cmd, name) {
-  if (name.startsWith("/")) {
-    return cmd.originalCommand === name;
-  }
-  if (name.startsWith("~/")) {
-    return cmd.originalCommand === (0, import_os.homedir)() + name.slice(1);
-  }
-  return cmd.command === name;
-}
-var MAX_RECURSION_DEPTH = 10;
-function evaluate(parsed, config, cwdOrDepth, maybeDepth) {
-  const cwd = typeof cwdOrDepth === "string" ? cwdOrDepth : void 0;
-  const depth = typeof cwdOrDepth === "number" ? cwdOrDepth : maybeDepth ?? 0;
-  if (depth > MAX_RECURSION_DEPTH) {
-    return { decision: "ask", reason: "Maximum recursion depth exceeded", details: [] };
-  }
-  if (parsed.parseError) {
-    return { decision: "ask", reason: "Could not parse command safely", details: [] };
-  }
-  if (parsed.commands.length === 0) {
-    return { decision: "allow", reason: "Empty command", details: [] };
-  }
-  if (parsed.hasSubshell && parsed.subshellCommands.length > 0) {
-    for (const subCmd of parsed.subshellCommands) {
-      const subParsed = parseCommand(subCmd);
-      const subResult = evaluate(subParsed, config, cwd, depth + 1);
-      if (subResult.decision === "deny") {
-        return { decision: "deny", reason: `Subshell command: ${subResult.reason}`, details: subResult.details };
-      }
-      if (subResult.decision === "ask") {
-        return { decision: "ask", reason: `Subshell command: ${subResult.reason}`, details: subResult.details };
-      }
-    }
-  } else if (parsed.hasSubshell && parsed.subshellCommands.length === 0 && config.askOnSubshell) {
-    return { decision: "ask", reason: "Command contains subshell/command substitution", details: [] };
-  }
-  const details = [];
-  for (const cmd of parsed.commands) {
-    details.push(evaluateCommand(cmd, config, cwd, depth));
-  }
-  const decisions = details.map((d) => d.decision);
-  if (decisions.includes("deny")) {
-    const denied = details.filter((d) => d.decision === "deny");
-    return {
-      decision: "deny",
-      reason: denied.map((d) => `${d.command}: ${d.reason}`).join("; "),
-      details
-    };
-  }
-  if (decisions.includes("ask")) {
-    const asked = details.filter((d) => d.decision === "ask");
-    return {
-      decision: "ask",
-      reason: asked.map((d) => `${d.command}: ${d.reason}`).join("; "),
-      details
-    };
-  }
-  return { decision: "allow", reason: "All commands are safe", details };
-}
-function evaluateCommand(cmd, config, cwd, depth = 0) {
-  const { command, args: args2 } = cmd;
-  for (const layer of config.layers) {
-    if (layer.alwaysDeny.some((name) => commandMatchesName(cmd, name))) {
-      return { command, args: args2, decision: "deny", reason: `"${command}" is blocked`, matchedRule: "alwaysDeny" };
-    }
-    if (layer.alwaysAllow.some((name) => commandMatchesName(cmd, name))) {
-      return { command, args: args2, decision: "allow", reason: `"${command}" is safe`, matchedRule: "alwaysAllow" };
-    }
-  }
-  if (cwd) {
-    const targetResult = evaluateTargetPolicies(cmd, cwd, config);
-    if (targetResult) return targetResult;
-  }
-  const remotes = config.trustedRemotes || [];
-  if (command === "ssh" || command === "scp" || command === "rsync") {
-    const sshTargets = remotes.filter((r) => r.context === "ssh");
-    if (sshTargets.length) {
-      const sshResult = evaluateSSHCommand(cmd, config, sshTargets, depth);
-      if (sshResult) return sshResult;
-    }
-  }
-  if (command === "docker") {
-    const dockerTargets = remotes.filter((r) => r.context === "docker");
-    if (dockerTargets.length) {
-      const dockerResult = evaluateDockerExec(cmd, config, dockerTargets, depth);
-      if (dockerResult) return dockerResult;
-    }
-  }
-  if (command === "kubectl") {
-    const kubectlTargets = remotes.filter((r) => r.context === "kubectl");
-    if (kubectlTargets.length) {
-      const kubectlResult = evaluateKubectlExec(cmd, config, kubectlTargets, depth);
-      if (kubectlResult) return kubectlResult;
-    }
-  }
-  if (command === "sprite") {
-    const spriteTargets = remotes.filter((r) => r.context === "sprite");
-    if (spriteTargets.length) {
-      const spriteResult = evaluateSpriteExec(cmd, config, spriteTargets, depth);
-      if (spriteResult) return spriteResult;
-    }
-  }
-  if (command === "fly" || command === "flyctl") {
-    const flyTargets = remotes.filter((r) => r.context === "fly");
-    if (flyTargets.length) {
-      const flyResult = evaluateFlyCommand(cmd, config, flyTargets, depth);
-      if (flyResult) return flyResult;
-    }
-  }
-  if (command === "xargs") {
-    return evaluateXargsCommand(cmd, config, cwd, depth);
-  }
-  if (command === "find") {
-    return evaluateFindCommand(cmd, config, cwd, depth);
-  }
-  const mergedRule = collectMergedRule(cmd, config);
-  if (mergedRule) {
-    return evaluateRule(cmd, mergedRule);
-  }
-  return { command, args: args2, decision: config.defaultDecision, reason: `No rule for "${command}"`, matchedRule: "default" };
+// src/rules.ts
+var import_fs = require("fs");
+var import_yaml = __toESM(require_dist2(), 1);
+var import_os = require("os");
+var import_path3 = require("path");
+// src/defaults.ts
+var SAFE_DEV_TOOLS = [
+  "jest",
+  "vitest",
+  "tsc",
+  "eslint",
+  "prettier",
+  "mkdirp",
+  "concurrently",
+  "turbo",
+  "next",
+  "nuxt",
+  "vite",
+  "astro",
+  "playwright",
+  "cypress",
+  "mocha",
+  "nyc",
+  "c8",
+  "ts-jest",
+  "tsup",
+  "esbuild",
+  "rollup",
+  "webpack",
+  "prisma",
+  "drizzle-kit",
+  "typeorm",
+  "knex",
+  "sequelize-cli",
+  "tailwindcss",
+  "postcss",
+  "autoprefixer",
+  "lint-staged",
+  "husky",
+  "changeset",
+  "semantic-release",
+  "lerna",
+  "nx",
+  "create-react-app",
+  "create-next-app",
+  "create-vite",
+  "degit",
+  "storybook",
+  "wrangler",
+  "netlify",
+  "vercel",
+  "json",
+  "biome"
+];
+var SCRIPT_RUNNERS = ["tsx", "ts-node", "nodemon"];
+var REGISTRY_OPS = ["publish", "unpublish", "deprecate", "owner", "access", "token", "adduser", "login", "logout"];
+var SAFE_PKG_MANAGER_CMDS = [
+  "install",
+  "add",
+  "remove",
+  "uninstall",
+  "update",
+  "upgrade",
+  "outdated",
+  "ls",
+  "list",
+  "run",
+  "test",
+  "start",
+  "build",
+  "init",
+  "create",
+  "info",
+  "view",
+  "show",
+  "why",
+  "pack",
+  "cache",
+  "config",
+  "get",
+  "set",
+  "version",
+  "help",
+  "exec",
+  "dedupe",
+  "prune",
+  "audit",
+  "completion",
+  "whoami"
+];
+var VERSION_HELP_FLAGS = {
+  match: { anyArgMatches: ["^--(version|help)$", "^-[vh]$"] },
+  decision: "allow",
+  description: "Version/help flags"
+};
+function anyArgMatchesPattern(items) {
+  return `^(${items.join("|")})$`;
 }
-function collectMergedRule(cmd, config) {
-  const matchingRules = [];
-  for (const layer of config.layers) {
-    const rule = layer.rules.find((r) => commandMatchesName(cmd, r.command));
-    if (rule) {
-      matchingRules.push(rule);
-      if (rule.override) break;
-    }
-  }
-  if (matchingRules.length === 0) return null;
-  if (matchingRules.length === 1) return matchingRules[0];
-  const mergedPatterns = [];
-  for (const rule of matchingRules) {
-    if (rule.argPatterns) {
-      mergedPatterns.push(...rule.argPatterns);
-    }
-  }
+function safeDevToolsPattern() {
   return {
-    command: matchingRules[0].command,
-    default: matchingRules[0].default,
-    argPatterns: mergedPatterns
+    match: { anyArgMatches: [anyArgMatchesPattern(SAFE_DEV_TOOLS)] },
+    decision: "allow",
+    description: "Well-known dev tools"
   };
 }
-function evaluateRule(cmd, rule) {
-  const { command, args: args2 } = cmd;
-  const argsJoined = args2.join(" ");
-  for (const pattern of rule.argPatterns || []) {
-    const m = pattern.match;
-    let matched = true;
-    if (m.noArgs !== void 0) {
-      matched = matched && m.noArgs === (args2.length === 0);
-    }
-    if (m.argsMatch && matched) {
-      matched = m.argsMatch.some((re) => safeRegexTest(re, argsJoined));
-    }
-    if (m.anyArgMatches && matched) {
-      matched = args2.some((arg) => m.anyArgMatches.some((re) => safeRegexTest(re, arg)));
-    }
-    if (m.argCount && matched) {
-      if (m.argCount.min !== void 0) matched = matched && args2.length >= m.argCount.min;
-      if (m.argCount.max !== void 0) matched = matched && args2.length <= m.argCount.max;
-    }
-    if (m.not) matched = !matched;
-    if (matched) {
-      return {
-        command,
-        args: args2,
-        decision: pattern.decision,
-        reason: pattern.reason || pattern.description || `Matched pattern for "${command}"`,
-        matchedRule: `${command}:argPattern`
-      };
-    }
-  }
+function scriptRunnersPattern() {
   return {
-    command,
-    args: args2,
-    decision: rule.default,
-    reason: `Default for "${command}"`,
-    matchedRule: `${command}:default`
+    match: { anyArgMatches: [anyArgMatchesPattern(SCRIPT_RUNNERS)] },
+    decision: "ask",
+    reason: "Script runners can execute arbitrary code"
   };
 }
-var XARGS_SHORT_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set(["E", "I", "L", "n", "P", "s", "S", "d", "a"]);
-var XARGS_SHORT_FLAGS_NO_VALUE = /* @__PURE__ */ new Set(["0", "e", "o", "p", "r", "t", "x"]);
-var XARGS_LONG_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
-  "--eof",
-  "--replace",
-  "--max-lines",
-  "--max-args",
-  "--max-procs",
-  "--max-chars",
-  "--arg-file",
-  "--delimiter"
-]);
-var XARGS_LONG_FLAGS_NO_VALUE = /* @__PURE__ */ new Set([
-  "--null",
-  "--exit",
-  "--open-tty",
-  "--interactive",
-  "--no-run-if-empty",
-  "--verbose",
-  "--show-limits"
-]);
-function parseXargsSubcommand(args2) {
-  let i = 0;
-  while (i < args2.length) {
-    const arg = args2[i];
-    if (arg === "--") {
-      i++;
-      break;
-    }
-    if (!arg.startsWith("-") || arg === "-") {
-      break;
-    }
-    if (arg.startsWith("--")) {
-      const eqIndex = arg.indexOf("=");
-      const longFlag = eqIndex === -1 ? arg : arg.slice(0, eqIndex);
-      if (XARGS_LONG_FLAGS_WITH_VALUE.has(longFlag)) {
-        if (eqIndex !== -1) {
-          i++;
-          continue;
-        }
-        if (i + 1 >= args2.length) return { subcommand: null, unresolved: true };
-        i += 2;
-        continue;
-      }
-      if (XARGS_LONG_FLAGS_NO_VALUE.has(longFlag)) {
-        i++;
-        continue;
-      }
-      return { subcommand: null, unresolved: true };
-    }
-    const short = arg[1];
-    if (XARGS_SHORT_FLAGS_WITH_VALUE.has(short)) {
-      if (arg.length > 2) {
-        i++;
-        continue;
-      }
-      if (i + 1 >= args2.length) return { subcommand: null, unresolved: true };
-      i += 2;
-      continue;
-    }
-    const grouped = arg.slice(1).split("");
-    const allKnownNoValue = grouped.every((ch) => XARGS_SHORT_FLAGS_NO_VALUE.has(ch));
-    if (allKnownNoValue) {
-      i++;
-      continue;
-    }
-    return { subcommand: null, unresolved: true };
-  }
-  if (i >= args2.length) {
-    return {
-      unresolved: false,
-      subcommand: {
-        command: "echo",
-        originalCommand: "echo",
-        args: [],
-        envPrefixes: [],
-        raw: "echo"
-      }
-    };
-  }
-  const subcommand = args2[i];
-  const subArgs = args2.slice(i + 1);
+function registryOpsPattern() {
   return {
-    unresolved: false,
-    subcommand: {
-      command: subcommand,
-      originalCommand: subcommand,
-      args: subArgs,
-      envPrefixes: [],
-      raw: [subcommand, ...subArgs].join(" ")
-    }
+    match: { anyArgMatches: [anyArgMatchesPattern(REGISTRY_OPS)] },
+    decision: "ask",
+    reason: "Registry modification"
   };
 }
-function evaluateXargsCommand(cmd, config, cwd, depth = 0) {
-  const { command, args: args2 } = cmd;
-  const { subcommand, unresolved } = parseXargsSubcommand(args2);
-  if (unresolved || !subcommand) {
-    return {
-      command,
-      args: args2,
-      decision: "ask",
-      reason: "xargs subcommand could not be resolved safely",
-      matchedRule: "xargs:subcommand"
-    };
-  }
-  const isShellExec = (subcommand.command === "sh" || subcommand.command === "bash" || subcommand.command === "zsh") && subcommand.args.length >= 2 && subcommand.args[0] === "-c";
-  let parsed;
-  if (isShellExec) {
-    const innerResult = parseCommand(subcommand.args[1]);
-    if (innerResult.parseError) {
-      parsed = { commands: [subcommand], hasSubshell: false, subshellCommands: [], parseError: false };
-    } else {
-      parsed = innerResult;
-    }
-  } else {
-    parsed = { commands: [subcommand], hasSubshell: false, subshellCommands: [], parseError: false };
-  }
-  const result = evaluate(parsed, config, cwd, depth + 1);
+function pkgManagerRule(command, extraSafeCmds = []) {
+  const safeCmds = [...SAFE_PKG_MANAGER_CMDS, ...extraSafeCmds];
   return {
     command,
-    args: args2,
-    decision: result.decision,
-    reason: `xargs subcommand "${subcommand.command}": ${result.reason}`,
-    matchedRule: "xargs:subcommand"
+    default: "ask",
+    argPatterns: [
+      registryOpsPattern(),
+      {
+        match: { anyArgMatches: [anyArgMatchesPattern(safeCmds)] },
+        decision: "allow",
+        description: `Standard ${command} commands`
+      },
+      VERSION_HELP_FLAGS
+    ]
   };
 }
-function parseFindExecCommands(args2) {
-  const commands = [];
-  let i = 0;
-  while (i < args2.length) {
-    if (args2[i] === "-exec" || args2[i] === "-execdir") {
-      i++;
-      const cmdArgs = [];
-      while (i < args2.length && args2[i] !== ";" && args2[i] !== "+") {
-        if (args2[i] !== "{}") {
-          cmdArgs.push(args2[i]);
-        }
-        i++;
-      }
-      i++;
-      if (cmdArgs.length > 0) {
-        commands.push({
-          command: cmdArgs[0],
-          originalCommand: cmdArgs[0],
-          args: cmdArgs.slice(1),
-          envPrefixes: [],
-          raw: cmdArgs.join(" ")
-        });
-      }
-    } else {
-      i++;
-    }
-  }
-  return commands;
-}
-function evaluateFindCommand(cmd, config, cwd, depth = 0) {
-  const { command, args: args2 } = cmd;
-  if (args2.some((a) => a === "-delete")) {
-    return { command, args: args2, decision: "ask", reason: "find -delete can remove files", matchedRule: "find:delete" };
-  }
-  if (args2.some((a) => a === "-ok" || a === "-okdir")) {
-    return { command, args: args2, decision: "ask", reason: "find -ok/-okdir can execute commands interactively", matchedRule: "find:ok" };
-  }
-  const execCommands = parseFindExecCommands(args2);
-  if (execCommands.length === 0) {
-    return { command, args: args2, decision: "allow", reason: "find without dangerous flags", matchedRule: "find:safe" };
-  }
-  for (const execCmd of execCommands) {
-    const parsed = {
-      commands: [execCmd],
-      hasSubshell: false,
-      subshellCommands: [],
-      parseError: false
-    };
-    const result = evaluate(parsed, config, cwd, depth + 1);
-    if (result.decision === "deny") {
-      return { command, args: args2, decision: "deny", reason: `find -exec: ${result.reason}`, matchedRule: "find:exec" };
-    }
-    if (result.decision === "ask") {
-      return { command, args: args2, decision: "ask", reason: `find -exec: ${result.reason}`, matchedRule: "find:exec" };
-    }
-  }
-  return { command, args: args2, decision: "allow", reason: "find -exec commands are safe", matchedRule: "find:exec" };
-}
-var SSH_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
-  "-b",
-  "-c",
-  "-D",
-  "-E",
-  "-e",
-  "-F",
-  "-I",
-  "-i",
-  "-J",
-  "-L",
-  "-l",
-  "-m",
-  "-O",
-  "-o",
-  "-p",
-  "-Q",
-  "-R",
-  "-S",
-  "-W",
-  "-w"
-]);
-function findMatchingTarget(value, targets) {
-  return targets.find((t) => globToRegex(t.name).test(value)) || null;
-}
-function parseSSHArgs(args2) {
-  let host = null;
-  const remoteArgs = [];
-  let i = 0;
-  while (i < args2.length) {
-    const arg = args2[i];
-    if (SSH_FLAGS_WITH_VALUE.has(arg)) {
-      i += 2;
-      continue;
-    }
-    if (arg.startsWith("-")) {
-      i++;
-      continue;
-    }
-    if (!host) {
-      host = arg.includes("@") ? arg.split("@").pop() : arg;
-      i++;
-      while (i < args2.length) {
-        remoteArgs.push(args2[i]);
-        i++;
-      }
-      break;
-    }
-    i++;
-  }
-  return {
-    host,
-    remoteCommand: remoteArgs.length > 0 ? remoteArgs.map(shellQuote).join(" ") : null
-  };
-}
-function extractHostFromRemotePath(args2) {
-  for (const arg of args2) {
-    const match = arg.match(/^(?:[^@]+@)?([^:]+):/);
-    if (match) return match[1];
-  }
-  return null;
-}
-function evaluateSSHCommand(cmd, config, targets, depth = 0) {
-  const { command, args: args2 } = cmd;
-  if (command === "scp" || command === "rsync") {
-    const host2 = extractHostFromRemotePath(args2);
-    if (!host2) return null;
-    const target2 = findMatchingTarget(host2, targets);
-    if (!target2) return null;
-    if (target2.allowAll || !target2.overrides) {
-      return {
-        command,
-        args: args2,
-        decision: "allow",
-        reason: `Trusted SSH host "${host2}"${target2.allowAll ? " (allowAll)" : ""}`,
-        matchedRule: "trustedSSHHosts"
-      };
-    }
-    if (target2.overrides.alwaysDeny.some((name) => name === command)) {
-      return {
-        command,
-        args: args2,
-        decision: "deny",
-        reason: `Trusted SSH host "${host2}": "${command}" blocked by overrides`,
-        matchedRule: "trustedSSHHosts"
-      };
-    }
-    return {
-      command,
-      args: args2,
-      decision: "allow",
-      reason: `Trusted SSH host "${host2}"`,
-      matchedRule: "trustedSSHHosts"
-    };
-  }
-  const { host, remoteCommand } = parseSSHArgs(args2);
-  if (!host) return null;
-  const target = findMatchingTarget(host, targets);
-  if (!target) return null;
-  if (!remoteCommand) {
-    return {
-      command,
-      args: args2,
-      decision: "allow",
-      reason: `Trusted SSH host "${host}" (interactive)`,
-      matchedRule: "trustedSSHHosts"
-    };
-  }
-  if (target.allowAll) {
-    return {
-      command,
-      args: args2,
-      decision: "allow",
-      reason: `Trusted SSH host "${host}" (allowAll)`,
-      matchedRule: "trustedSSHHosts"
-    };
-  }
-  const parsed = parseCommand(remoteCommand);
-  const result = evaluate(parsed, configWithContextOverrides(config, target), depth + 1);
-  return {
-    command,
-    args: args2,
-    decision: result.decision,
-    reason: `Trusted SSH host "${host}": ${result.reason}`,
-    matchedRule: "trustedSSHHosts"
-  };
-}
-var DOCKER_EXEC_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
-  "-e",
-  "--env",
-  "--env-file",
-  "-u",
-  "--user",
-  "-w",
-  "--workdir",
-  "--detach-keys"
-]);
-var INTERACTIVE_SHELLS = /* @__PURE__ */ new Set(["bash", "sh", "zsh"]);
-function shellQuote(arg) {
-  if (/[\s"'\\$`!#&|;()<>]/.test(arg)) {
-    return `'${arg.replace(/'/g, "'\\''")}'`;
-  }
-  return arg;
-}
-function configWithContextOverrides(config, target) {
-  const overrideLayers = [];
-  if (target?.overrides) overrideLayers.push(target.overrides);
-  if (config.trustedContextOverrides) overrideLayers.push(config.trustedContextOverrides);
-  if (overrideLayers.length === 0) return config;
-  return {
-    ...config,
-    layers: [...overrideLayers, ...config.layers]
-  };
-}
-function evaluateRemoteCommand(remoteArgs, config, target, depth = 0) {
-  if (target?.allowAll) {
-    return { decision: "allow", reason: "allowAll target", details: [] };
-  }
-  const overriddenConfig = configWithContextOverrides(config, target);
-  if (remoteArgs.length === 0) {
-    return { decision: "allow", reason: "interactive", details: [] };
-  }
-  const remoteCmd = remoteArgs[0];
-  if (INTERACTIVE_SHELLS.has(remoteCmd) && remoteArgs.length === 1) {
-    return { decision: "allow", reason: "interactive shell", details: [] };
-  }
-  if (INTERACTIVE_SHELLS.has(remoteCmd) && remoteArgs[1] === "-c" && remoteArgs.length >= 3) {
-    const innerCommand = remoteArgs.slice(2).join(" ");
-    const parsed2 = parseCommand(innerCommand);
-    return evaluate(parsed2, overriddenConfig, depth + 1);
-  }
-  const parsed = {
-    commands: [{ command: remoteCmd, originalCommand: remoteCmd, args: remoteArgs.slice(1), envPrefixes: [], raw: remoteArgs.join(" ") }],
-    hasSubshell: false,
-    subshellCommands: [],
-    parseError: false
-  };
-  return evaluate(parsed, overriddenConfig, depth + 1);
-}
-function parseDockerExecArgs(args2) {
-  let target = null;
-  const remoteArgs = [];
-  let i = 0;
-  while (i < args2.length) {
-    const arg = args2[i];
-    if (DOCKER_EXEC_FLAGS_WITH_VALUE.has(arg)) {
-      i += 2;
-      continue;
-    }
-    if (arg.startsWith("-")) {
-      i++;
-      continue;
-    }
-    if (!target) {
-      target = arg;
-      i++;
-      while (i < args2.length) {
-        remoteArgs.push(args2[i]);
-        i++;
-      }
-      break;
-    }
-    i++;
-  }
-  return { target, remoteArgs };
-}
-function evaluateDockerExec(cmd, config, targets, depth = 0) {
-  const { command, args: args2 } = cmd;
-  if (args2[0] !== "exec") return null;
-  const { target: containerName, remoteArgs } = parseDockerExecArgs(args2.slice(1));
-  if (!containerName) return null;
-  const matched = findMatchingTarget(containerName, targets);
-  if (!matched) return null;
-  const result = evaluateRemoteCommand(remoteArgs, config, matched, depth);
-  return {
-    command,
-    args: args2,
-    decision: result.decision,
-    reason: `Trusted Docker container "${containerName}" (${result.reason})`,
-    matchedRule: "trustedDockerContainers"
-  };
-}
-var KUBECTL_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
-  "-n",
-  "--namespace",
-  "-c",
-  "--container",
-  "--context",
-  "--cluster",
-  "--kubeconfig",
-  "-s",
-  "--server",
-  "--token",
-  "--user",
-  "--as",
-  "--as-group",
-  "--certificate-authority",
-  "--client-certificate",
-  "--client-key",
-  "-l",
-  "--selector",
-  "-f",
-  "--filename",
-  "--cache-dir",
-  "--request-timeout",
-  "-o",
-  "--output"
-]);
-function parseKubectlExecArgs(args2) {
-  let context = null;
-  let pod = null;
-  const remoteArgs = [];
-  let i = 0;
-  while (i < args2.length) {
-    const arg = args2[i];
-    if (arg === "--") {
-      i++;
-      while (i < args2.length) {
-        remoteArgs.push(args2[i]);
-        i++;
-      }
-      break;
-    }
-    if (arg.startsWith("--") && arg.includes("=")) {
-      if (arg.startsWith("--context=")) {
-        context = arg.split("=")[1];
-      }
-      i++;
-      continue;
-    }
-    if (KUBECTL_FLAGS_WITH_VALUE.has(arg)) {
-      if (arg === "--context") context = args2[i + 1] || null;
-      i += 2;
-      continue;
-    }
-    if (arg.startsWith("-")) {
-      i++;
-      continue;
-    }
-    if (!pod) {
-      pod = arg;
-    }
-    i++;
-  }
-  return { context, pod, remoteArgs };
-}
-function evaluateKubectlExec(cmd, config, targets, depth = 0) {
-  const { command, args: args2 } = cmd;
-  if (args2[0] !== "exec") return null;
-  const { context, pod, remoteArgs } = parseKubectlExecArgs(args2.slice(1));
-  if (!context) return null;
-  const matched = findMatchingTarget(context, targets);
-  if (!matched) return null;
-  const result = evaluateRemoteCommand(remoteArgs, config, matched, depth);
-  return {
-    command,
-    args: args2,
-    decision: result.decision,
-    reason: `Trusted kubectl context "${context}"${pod ? `, pod "${pod}"` : ""} (${result.reason})`,
-    matchedRule: "trustedKubectlContexts"
-  };
-}
-var SPRITE_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
-  "-o",
-  "--org",
-  "-s",
-  "--sprite"
-]);
-function parseSpriteExecArgs(args2) {
-  let spriteName = null;
-  const remoteArgs = [];
-  let foundExec = false;
-  let i = 0;
-  while (i < args2.length) {
-    const arg = args2[i];
-    if (arg.startsWith("--") && arg.includes("=")) {
-      if (arg.startsWith("--sprite=")) {
-        spriteName = arg.split("=")[1];
-      }
-      i++;
-      continue;
-    }
-    if (SPRITE_FLAGS_WITH_VALUE.has(arg)) {
-      if (arg === "-s" || arg === "--sprite") {
-        spriteName = args2[i + 1] || null;
-      }
-      i += 2;
-      continue;
-    }
-    if (arg === "--debug") {
-      i++;
-      continue;
-    }
-    if (arg.startsWith("-")) {
-      i++;
-      continue;
-    }
-    if (!foundExec) {
-      if (arg === "exec" || arg === "x" || arg === "console" || arg === "c") {
-        foundExec = true;
-        i++;
-        continue;
-      }
-      return { spriteName: null, remoteArgs: [] };
-    }
-    while (i < args2.length) {
-      remoteArgs.push(args2[i]);
-      i++;
-    }
-    break;
-  }
-  return { spriteName, remoteArgs };
-}
-function evaluateSpriteExec(cmd, config, targets, depth = 0) {
-  const { command, args: args2 } = cmd;
-  const { spriteName, remoteArgs } = parseSpriteExecArgs(args2);
-  if (!spriteName) return null;
-  const matched = findMatchingTarget(spriteName, targets);
-  if (!matched) return null;
-  const result = evaluateRemoteCommand(remoteArgs, config, matched, depth);
-  return {
-    command,
-    args: args2,
-    decision: result.decision,
-    reason: `Trusted sprite "${spriteName}" (${result.reason})`,
-    matchedRule: "trustedSprites"
-  };
-}
-var FLY_SSH_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
-  "-a",
-  "--app",
-  "-C",
-  "--command",
-  "-o",
-  "--org",
-  "-r",
-  "--region",
-  "-u",
-  "--user",
-  "--address"
-]);
-function parseFlySSHArgs(args2) {
-  let app = null;
-  const remoteArgs = [];
-  let isSSH = false;
-  let foundConsole = false;
-  let i = 0;
-  while (i < args2.length) {
-    const arg = args2[i];
-    if (arg.startsWith("--app=")) {
-      app = arg.slice(6);
-      i++;
-      continue;
-    }
-    if (FLY_SSH_FLAGS_WITH_VALUE.has(arg)) {
-      if (arg === "-a" || arg === "--app") {
-        app = args2[i + 1] || null;
-      }
-      if ((arg === "-C" || arg === "--command") && foundConsole) {
-        const cmdValue = args2[i + 1];
-        if (cmdValue) {
-          const parsed = parseCommand(cmdValue);
-          if (!parsed.parseError && parsed.commands.length > 0) {
-            const cmd = parsed.commands[0];
-            remoteArgs.push(cmd.command, ...cmd.args);
-          }
-        }
-        i += 2;
-        continue;
-      }
-      i += 2;
-      continue;
-    }
-    if (arg === "--") {
-      i++;
-      while (i < args2.length) {
-        remoteArgs.push(args2[i]);
-        i++;
-      }
-      break;
-    }
-    if (arg.startsWith("-")) {
-      i++;
-      continue;
-    }
-    if (!isSSH && arg === "ssh") {
-      isSSH = true;
-      i++;
-      continue;
-    }
-    if (isSSH && !foundConsole && (arg === "console" || arg === "sftp")) {
-      foundConsole = true;
-      i++;
-      continue;
-    }
-    i++;
-  }
-  return { app, remoteArgs, isSSH: isSSH && foundConsole };
-}
-function evaluateFlyCommand(cmd, config, targets, depth = 0) {
-  const { command, args: args2 } = cmd;
-  const { app, remoteArgs, isSSH } = parseFlySSHArgs(args2);
-  if (!isSSH) return null;
-  if (!app) return null;
-  const matched = findMatchingTarget(app, targets);
-  if (!matched) return null;
-  const result = evaluateRemoteCommand(remoteArgs, config, matched, depth);
-  return {
-    command,
-    args: args2,
-    decision: result.decision,
-    reason: `Trusted Fly app "${app}" (${result.reason})`,
-    matchedRule: "trustedFlyApps"
-  };
-}
-// src/rules.ts
-var import_fs = require("fs");
-var import_yaml = __toESM(require_dist2(), 1);
-var import_os2 = require("os");
-var import_path3 = require("path");
-// src/defaults.ts
-var SAFE_DEV_TOOLS = [
-  "jest",
-  "vitest",
-  "tsc",
-  "eslint",
-  "prettier",
-  "mkdirp",
-  "concurrently",
-  "turbo",
-  "next",
-  "nuxt",
-  "vite",
-  "astro",
-  "playwright",
-  "cypress",
-  "mocha",
-  "nyc",
-  "c8",
-  "ts-jest",
-  "tsup",
-  "esbuild",
-  "rollup",
-  "webpack",
-  "prisma",
-  "drizzle-kit",
-  "typeorm",
-  "knex",
-  "sequelize-cli",
-  "tailwindcss",
-  "postcss",
-  "autoprefixer",
-  "lint-staged",
-  "husky",
-  "changeset",
-  "semantic-release",
-  "lerna",
-  "nx",
-  "create-react-app",
-  "create-next-app",
-  "create-vite",
-  "degit",
-  "storybook",
-  "wrangler",
-  "netlify",
-  "vercel",
-  "json",
-  "biome"
-];
-var SCRIPT_RUNNERS = ["tsx", "ts-node", "nodemon"];
-var REGISTRY_OPS = ["publish", "unpublish", "deprecate", "owner", "access", "token", "adduser", "login", "logout"];
-var SAFE_PKG_MANAGER_CMDS = [
-  "install",
-  "add",
-  "remove",
-  "uninstall",
-  "update",
-  "upgrade",
-  "outdated",
-  "ls",
-  "list",
-  "run",
-  "test",
-  "start",
-  "build",
-  "init",
-  "create",
-  "info",
-  "view",
-  "show",
-  "why",
-  "pack",
-  "cache",
-  "config",
-  "get",
-  "set",
-  "version",
-  "help",
-  "exec",
-  "dedupe",
-  "prune",
-  "audit",
-  "completion",
-  "whoami"
-];
-var VERSION_HELP_FLAGS = {
-  match: { anyArgMatches: ["^--(version|help)$", "^-[vh]$"] },
-  decision: "allow",
-  description: "Version/help flags"
-};
-function anyArgMatchesPattern(items) {
-  return `^(${items.join("|")})$`;
-}
-function safeDevToolsPattern() {
-  return {
-    match: { anyArgMatches: [anyArgMatchesPattern(SAFE_DEV_TOOLS)] },
-    decision: "allow",
-    description: "Well-known dev tools"
-  };
-}
-function scriptRunnersPattern() {
-  return {
-    match: { anyArgMatches: [anyArgMatchesPattern(SCRIPT_RUNNERS)] },
-    decision: "ask",
-    reason: "Script runners can execute arbitrary code"
-  };
-}
-function registryOpsPattern() {
-  return {
-    match: { anyArgMatches: [anyArgMatchesPattern(REGISTRY_OPS)] },
-    decision: "ask",
-    reason: "Registry modification"
-  };
-}
-function pkgManagerRule(command, extraSafeCmds = []) {
-  const safeCmds = [...SAFE_PKG_MANAGER_CMDS, ...extraSafeCmds];
-  return {
-    command,
-    default: "ask",
-    argPatterns: [
-      registryOpsPattern(),
-      {
-        match: { anyArgMatches: [anyArgMatchesPattern(safeCmds)] },
-        decision: "allow",
-        description: `Standard ${command} commands`
-      },
-      VERSION_HELP_FLAGS
-    ]
-  };
-}
-function pkgRunnerRule(command) {
-  return {
-    command,
-    default: "ask",
-    argPatterns: [
-      safeDevToolsPattern(),
-      scriptRunnersPattern(),
-      VERSION_HELP_FLAGS
-    ]
-  };
+function pkgRunnerRule(command) {
+  return {
+    command,
+    default: "ask",
+    argPatterns: [
+      safeDevToolsPattern(),
+      scriptRunnersPattern(),
+      VERSION_HELP_FLAGS
+    ]
+  };
 }
 var DEFAULT_CONFIG = {
   defaultDecision: "ask",
@@ -20288,316 +19456,1129 @@ var DEFAULT_CONFIG = {
   }]
 };
-// src/rules.ts
-var VALID_DECISIONS = /* @__PURE__ */ new Set(["allow", "deny", "ask"]);
-function isValidDecision(value) {
-  return VALID_DECISIONS.has(value);
+// src/rules.ts
+var VALID_DECISIONS = /* @__PURE__ */ new Set(["allow", "deny", "ask"]);
+function isValidDecision(value) {
+  return VALID_DECISIONS.has(value);
+}
+var quiet = true;
+function warn(message) {
+  if (quiet) return;
+  process.stderr.write(message);
+}
+var USER_CONFIG_PATHS = [
+  (0, import_path3.join)((0, import_os.homedir)(), ".claude", "warden.yaml"),
+  (0, import_path3.join)((0, import_os.homedir)(), ".claude", "warden.json")
+];
+var PROJECT_CONFIG_NAMES = [
+  ".claude/warden.yaml",
+  ".claude/warden.json"
+];
+function loadConfig(cwd) {
+  const config = structuredClone(DEFAULT_CONFIG);
+  const defaultLayer = config.layers[0];
+  let userLayer = null;
+  let userRaw = null;
+  for (const configPath of USER_CONFIG_PATHS) {
+    const result = tryLoadFile(configPath);
+    if (result) {
+      userLayer = extractLayer(result);
+      userRaw = result;
+      break;
+    }
+  }
+  let workspaceLayer = null;
+  let workspaceRaw = null;
+  if (cwd) {
+    for (const name of PROJECT_CONFIG_NAMES) {
+      const result = tryLoadFile((0, import_path3.join)(cwd, name));
+      if (result) {
+        workspaceLayer = extractLayer(result);
+        workspaceRaw = result;
+        break;
+      }
+    }
+  }
+  config.layers = [
+    ...workspaceLayer ? [workspaceLayer] : [],
+    ...userLayer ? [userLayer] : [],
+    defaultLayer
+  ];
+  if (userRaw) mergeNonLayerFields(config, userRaw);
+  if (workspaceRaw) mergeNonLayerFields(config, workspaceRaw);
+  return config;
+}
+function tryLoadFile(filePath) {
+  if (!(0, import_fs.existsSync)(filePath)) return null;
+  try {
+    const raw = (0, import_fs.readFileSync)(filePath, "utf-8");
+    const parsed = filePath.endsWith(".yaml") || filePath.endsWith(".yml") ? (0, import_yaml.parse)(raw) : JSON.parse(raw);
+    if (parsed && typeof parsed === "object") {
+      return parsed;
+    }
+  } catch (err) {
+    warn(`[warden] Warning: failed to parse config ${filePath}: ${err instanceof Error ? err.message : String(err)}
+`);
+  }
+  return null;
+}
+function extractLayer(raw) {
+  const rules = Array.isArray(raw.rules) ? raw.rules : [];
+  for (const rule of rules) {
+    if (rule && typeof rule === "object") {
+      if (rule.default && !isValidDecision(rule.default)) {
+        warn(`[warden] Warning: invalid rule default "${rule.default}" for "${rule.command}", using "ask"
+`);
+        rule.default = "ask";
+      }
+      if (Array.isArray(rule.argPatterns)) {
+        for (const pattern of rule.argPatterns) {
+          if (pattern?.decision && !isValidDecision(pattern.decision)) {
+            warn(`[warden] Warning: invalid pattern decision "${pattern.decision}" for "${rule.command}", using "ask"
+`);
+            pattern.decision = "ask";
+          }
+        }
+      }
+    }
+  }
+  return {
+    alwaysAllow: Array.isArray(raw.alwaysAllow) ? raw.alwaysAllow : [],
+    alwaysDeny: Array.isArray(raw.alwaysDeny) ? raw.alwaysDeny : [],
+    rules
+  };
+}
+function parseTrustedList(raw) {
+  return raw.map((entry) => {
+    if (typeof entry === "string") return { name: entry };
+    if (entry && typeof entry === "object" && "name" in entry) {
+      const obj = entry;
+      const target = { name: String(obj.name) };
+      if (obj.allowAll === true) target.allowAll = true;
+      if (obj.overrides && typeof obj.overrides === "object") {
+        target.overrides = extractLayer(obj.overrides);
+      }
+      return target;
+    }
+    return null;
+  }).filter((t) => t !== null);
+}
+var VALID_REMOTE_CONTEXTS = /* @__PURE__ */ new Set(["ssh", "docker", "kubectl", "sprite", "fly"]);
+function parseTrustedRemotes(raw) {
+  const results = [];
+  for (const entry of raw) {
+    if (!entry || typeof entry !== "object") continue;
+    const obj = entry;
+    const context = String(obj.context || "");
+    if (!VALID_REMOTE_CONTEXTS.has(context)) {
+      warn(`[warden] Warning: unknown remote context "${context}", skipping
+`);
+      continue;
+    }
+    const name = String(obj.name || "");
+    if (!name) continue;
+    const remote = { name, context };
+    if (obj.allowAll === true) remote.allowAll = true;
+    if (obj.overrides && typeof obj.overrides === "object") {
+      remote.overrides = extractLayer(obj.overrides);
+    }
+    results.push(remote);
+  }
+  return results;
+}
+function parseTargetPolicies(raw) {
+  const results = [];
+  for (const entry of raw) {
+    if (!entry || typeof entry !== "object") continue;
+    const obj = entry;
+    const type = String(obj.type || "");
+    const rawDecision = String(obj.decision || "allow");
+    const decision = isValidDecision(rawDecision) ? rawDecision : "allow";
+    const base = {
+      commands: Array.isArray(obj.commands) ? obj.commands.map(String) : void 0,
+      decision,
+      reason: obj.reason ? String(obj.reason) : void 0,
+      allowAll: obj.allowAll === true ? true : void 0
+    };
+    switch (type) {
+      case "path": {
+        const path = String(obj.path || "");
+        if (!path) continue;
+        const policy = { ...base, type: "path", path };
+        if (obj.recursive === false) policy.recursive = false;
+        results.push(policy);
+        break;
+      }
+      case "database": {
+        const host = String(obj.host || "");
+        if (!host) continue;
+        const policy = { ...base, type: "database", host };
+        if (typeof obj.port === "number") policy.port = obj.port;
+        if (obj.database) policy.database = String(obj.database);
+        results.push(policy);
+        break;
+      }
+      case "endpoint": {
+        const pattern = String(obj.pattern || "");
+        if (!pattern) continue;
+        results.push({ ...base, type: "endpoint", pattern });
+        break;
+      }
+      default:
+        warn(`[warden] Warning: unknown target policy type "${type}", skipping
+`);
+    }
+  }
+  return results;
+}
+function parseLegacyPaths(raw) {
+  const results = [];
+  for (const e of raw) {
+    if (!e || typeof e !== "object") continue;
+    const obj = e;
+    const decision = String(obj.decision || "allow");
+    if (!isValidDecision(decision)) continue;
+    const path = String(obj.path || "");
+    if (!path) continue;
+    const tp = { type: "path", path, decision };
+    if (obj.recursive === false) tp.recursive = false;
+    if (Array.isArray(obj.commands)) tp.commands = obj.commands.map(String);
+    if (obj.reason) tp.reason = String(obj.reason);
+    results.push(tp);
+  }
+  return results;
+}
+function parseLegacyDatabases(raw) {
+  const results = [];
+  for (const e of raw) {
+    if (!e || typeof e !== "object") continue;
+    const obj = e;
+    const decision = String(obj.decision || "allow");
+    if (!isValidDecision(decision)) continue;
+    const host = String(obj.host || "");
+    if (!host) continue;
+    const td = { type: "database", host, decision };
+    if (typeof obj.port === "number") td.port = obj.port;
+    if (obj.database) td.database = String(obj.database);
+    if (Array.isArray(obj.commands)) td.commands = obj.commands.map(String);
+    if (obj.reason) td.reason = String(obj.reason);
+    results.push(td);
+  }
+  return results;
+}
+function parseLegacyEndpoints(raw) {
+  const results = [];
+  for (const e of raw) {
+    if (!e || typeof e !== "object") continue;
+    const obj = e;
+    const decision = String(obj.decision || "allow");
+    if (!isValidDecision(decision)) continue;
+    const pattern = String(obj.pattern || "");
+    if (!pattern) continue;
+    const te = { type: "endpoint", pattern, decision };
+    if (Array.isArray(obj.commands)) te.commands = obj.commands.map(String);
+    if (obj.reason) te.reason = String(obj.reason);
+    results.push(te);
+  }
+  return results;
+}
+var LEGACY_REMOTE_MAP = {
+  trustedSSHHosts: "ssh",
+  trustedDockerContainers: "docker",
+  trustedKubectlContexts: "kubectl",
+  trustedSprites: "sprite",
+  trustedFlyApps: "fly"
+};
+function mergeNonLayerFields(config, raw) {
+  if (Array.isArray(raw.trustedRemotes)) {
+    config.trustedRemotes = [...config.trustedRemotes || [], ...parseTrustedRemotes(raw.trustedRemotes)];
+  }
+  if (Array.isArray(raw.targetPolicies)) {
+    config.targetPolicies = [...config.targetPolicies || [], ...parseTargetPolicies(raw.targetPolicies)];
+  }
+  for (const [key, context] of Object.entries(LEGACY_REMOTE_MAP)) {
+    if (Array.isArray(raw[key])) {
+      const remotes = parseTrustedList(raw[key]).map((t) => ({ ...t, context }));
+      config.trustedRemotes = [...config.trustedRemotes || [], ...remotes];
+    }
+  }
+  if (Array.isArray(raw.trustedPaths)) {
+    config.targetPolicies = [...config.targetPolicies || [], ...parseLegacyPaths(raw.trustedPaths)];
+  }
+  if (Array.isArray(raw.trustedDatabases)) {
+    config.targetPolicies = [...config.targetPolicies || [], ...parseLegacyDatabases(raw.trustedDatabases)];
+  }
+  if (Array.isArray(raw.trustedEndpoints)) {
+    config.targetPolicies = [...config.targetPolicies || [], ...parseLegacyEndpoints(raw.trustedEndpoints)];
+  }
+  if (typeof raw.defaultDecision === "string") {
+    if (isValidDecision(raw.defaultDecision)) {
+      config.defaultDecision = raw.defaultDecision;
+    } else {
+      warn(`[warden] Warning: invalid defaultDecision "${raw.defaultDecision}", ignoring
+`);
+    }
+  }
+  if (typeof raw.askOnSubshell === "boolean") {
+    config.askOnSubshell = raw.askOnSubshell;
+  }
+  if (typeof raw.notifyOnAsk === "boolean") {
+    config.notifyOnAsk = raw.notifyOnAsk;
+  }
+  if (typeof raw.notifyOnDeny === "boolean") {
+    config.notifyOnDeny = raw.notifyOnDeny;
+  }
+  if (raw.trustedContextOverrides && typeof raw.trustedContextOverrides === "object") {
+    const overrides = raw.trustedContextOverrides;
+    const layer = extractLayer(overrides);
+    if (config.trustedContextOverrides) {
+      config.trustedContextOverrides = {
+        alwaysAllow: [...layer.alwaysAllow, ...config.trustedContextOverrides.alwaysAllow],
+        alwaysDeny: [...layer.alwaysDeny, ...config.trustedContextOverrides.alwaysDeny],
+        rules: [...layer.rules, ...config.trustedContextOverrides.rules]
+      };
+    } else {
+      config.trustedContextOverrides = layer;
+    }
+  }
+}
+// src/evaluator.ts
+function safeRegexTest(pattern, input) {
+  try {
+    return new RegExp(pattern).test(input);
+  } catch {
+    warn(`[warden] Warning: invalid regex pattern: ${pattern}
+`);
+    return false;
+  }
+}
+function commandMatchesName(cmd, name) {
+  if (name.startsWith("/")) {
+    return cmd.originalCommand === name;
+  }
+  if (name.startsWith("~/")) {
+    return cmd.originalCommand === (0, import_os2.homedir)() + name.slice(1);
+  }
+  return cmd.command === name;
+}
+var MAX_RECURSION_DEPTH = 10;
+function evaluate(parsed, config, cwdOrDepth, maybeDepth) {
+  const cwd = typeof cwdOrDepth === "string" ? cwdOrDepth : void 0;
+  const depth = typeof cwdOrDepth === "number" ? cwdOrDepth : maybeDepth ?? 0;
+  if (depth > MAX_RECURSION_DEPTH) {
+    return { decision: "ask", reason: "Maximum recursion depth exceeded", details: [] };
+  }
+  if (parsed.parseError) {
+    return { decision: "ask", reason: "Could not parse command safely", details: [] };
+  }
+  if (parsed.commands.length === 0) {
+    return { decision: "allow", reason: "Empty command", details: [] };
+  }
+  if (parsed.hasSubshell && parsed.subshellCommands.length > 0) {
+    for (const subCmd of parsed.subshellCommands) {
+      const subParsed = parseCommand(subCmd);
+      const subResult = evaluate(subParsed, config, cwd, depth + 1);
+      if (subResult.decision === "deny") {
+        return { decision: "deny", reason: `Subshell command: ${subResult.reason}`, details: subResult.details };
+      }
+      if (subResult.decision === "ask") {
+        return { decision: "ask", reason: `Subshell command: ${subResult.reason}`, details: subResult.details };
+      }
+    }
+  } else if (parsed.hasSubshell && parsed.subshellCommands.length === 0 && config.askOnSubshell) {
+    return { decision: "ask", reason: "Command contains subshell/command substitution", details: [] };
+  }
+  const details = [];
+  for (const cmd of parsed.commands) {
+    details.push(evaluateCommand(cmd, config, cwd, depth));
+  }
+  const decisions = details.map((d) => d.decision);
+  if (decisions.includes("deny")) {
+    const denied = details.filter((d) => d.decision === "deny");
+    return {
+      decision: "deny",
+      reason: denied.map((d) => `${d.command}: ${d.reason}`).join("; "),
+      details
+    };
+  }
+  if (decisions.includes("ask")) {
+    const asked = details.filter((d) => d.decision === "ask");
+    return {
+      decision: "ask",
+      reason: asked.map((d) => `${d.command}: ${d.reason}`).join("; "),
+      details
+    };
+  }
+  return { decision: "allow", reason: "All commands are safe", details };
+}
+function evaluateCommand(cmd, config, cwd, depth = 0) {
+  const { command, args: args2 } = cmd;
+  for (const layer of config.layers) {
+    if (layer.alwaysDeny.some((name) => commandMatchesName(cmd, name))) {
+      return { command, args: args2, decision: "deny", reason: `"${command}" is blocked`, matchedRule: "alwaysDeny" };
+    }
+    if (layer.alwaysAllow.some((name) => commandMatchesName(cmd, name))) {
+      return { command, args: args2, decision: "allow", reason: `"${command}" is safe`, matchedRule: "alwaysAllow" };
+    }
+  }
+  if (cwd) {
+    const targetResult = evaluateTargetPolicies(cmd, cwd, config);
+    if (targetResult) return targetResult;
+  }
+  const remotes = config.trustedRemotes || [];
+  if (command === "ssh" || command === "scp" || command === "rsync") {
+    const sshTargets = remotes.filter((r) => r.context === "ssh");
+    if (sshTargets.length) {
+      const sshResult = evaluateSSHCommand(cmd, config, sshTargets, depth);
+      if (sshResult) return sshResult;
+    }
+  }
+  if (command === "docker") {
+    const dockerTargets = remotes.filter((r) => r.context === "docker");
+    if (dockerTargets.length) {
+      const dockerResult = evaluateDockerExec(cmd, config, dockerTargets, depth);
+      if (dockerResult) return dockerResult;
+    }
+  }
+  if (command === "kubectl") {
+    const kubectlTargets = remotes.filter((r) => r.context === "kubectl");
+    if (kubectlTargets.length) {
+      const kubectlResult = evaluateKubectlExec(cmd, config, kubectlTargets, depth);
+      if (kubectlResult) return kubectlResult;
+    }
+  }
+  if (command === "sprite") {
+    const spriteTargets = remotes.filter((r) => r.context === "sprite");
+    if (spriteTargets.length) {
+      const spriteResult = evaluateSpriteExec(cmd, config, spriteTargets, depth);
+      if (spriteResult) return spriteResult;
+    }
+  }
+  if (command === "fly" || command === "flyctl") {
+    const flyTargets = remotes.filter((r) => r.context === "fly");
+    if (flyTargets.length) {
+      const flyResult = evaluateFlyCommand(cmd, config, flyTargets, depth);
+      if (flyResult) return flyResult;
+    }
+  }
+  if (command === "xargs") {
+    return evaluateXargsCommand(cmd, config, cwd, depth);
+  }
+  if (command === "find") {
+    return evaluateFindCommand(cmd, config, cwd, depth);
+  }
+  const mergedRule = collectMergedRule(cmd, config);
+  if (mergedRule) {
+    return evaluateRule(cmd, mergedRule);
+  }
+  return { command, args: args2, decision: config.defaultDecision, reason: `No rule for "${command}"`, matchedRule: "default" };
+}
+function collectMergedRule(cmd, config) {
+  const matchingRules = [];
+  for (const layer of config.layers) {
+    const rule = layer.rules.find((r) => commandMatchesName(cmd, r.command));
+    if (rule) {
+      matchingRules.push(rule);
+      if (rule.override) break;
+    }
+  }
+  if (matchingRules.length === 0) return null;
+  if (matchingRules.length === 1) return matchingRules[0];
+  const mergedPatterns = [];
+  for (const rule of matchingRules) {
+    if (rule.argPatterns) {
+      mergedPatterns.push(...rule.argPatterns);
+    }
+  }
+  return {
+    command: matchingRules[0].command,
+    default: matchingRules[0].default,
+    argPatterns: mergedPatterns
+  };
+}
+function evaluateRule(cmd, rule) {
+  const { command, args: args2 } = cmd;
+  const argsJoined = args2.join(" ");
+  for (const pattern of rule.argPatterns || []) {
+    const m = pattern.match;
+    let matched = true;
+    if (m.noArgs !== void 0) {
+      matched = matched && m.noArgs === (args2.length === 0);
+    }
+    if (m.argsMatch && matched) {
+      matched = m.argsMatch.some((re) => safeRegexTest(re, argsJoined));
+    }
+    if (m.anyArgMatches && matched) {
+      matched = args2.some((arg) => m.anyArgMatches.some((re) => safeRegexTest(re, arg)));
+    }
+    if (m.argCount && matched) {
+      if (m.argCount.min !== void 0) matched = matched && args2.length >= m.argCount.min;
+      if (m.argCount.max !== void 0) matched = matched && args2.length <= m.argCount.max;
+    }
+    if (m.not) matched = !matched;
+    if (matched) {
+      return {
+        command,
+        args: args2,
+        decision: pattern.decision,
+        reason: pattern.reason || pattern.description || `Matched pattern for "${command}"`,
+        matchedRule: `${command}:argPattern`
+      };
+    }
+  }
+  return {
+    command,
+    args: args2,
+    decision: rule.default,
+    reason: `Default for "${command}"`,
+    matchedRule: `${command}:default`
+  };
+}
+var XARGS_SHORT_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set(["E", "I", "L", "n", "P", "s", "S", "d", "a"]);
+var XARGS_SHORT_FLAGS_NO_VALUE = /* @__PURE__ */ new Set(["0", "e", "o", "p", "r", "t", "x"]);
+var XARGS_LONG_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
+  "--eof",
+  "--replace",
+  "--max-lines",
+  "--max-args",
+  "--max-procs",
+  "--max-chars",
+  "--arg-file",
+  "--delimiter"
+]);
+var XARGS_LONG_FLAGS_NO_VALUE = /* @__PURE__ */ new Set([
+  "--null",
+  "--exit",
+  "--open-tty",
+  "--interactive",
+  "--no-run-if-empty",
+  "--verbose",
+  "--show-limits"
+]);
+function parseXargsSubcommand(args2) {
+  let i = 0;
+  while (i < args2.length) {
+    const arg = args2[i];
+    if (arg === "--") {
+      i++;
+      break;
+    }
+    if (!arg.startsWith("-") || arg === "-") {
+      break;
+    }
+    if (arg.startsWith("--")) {
+      const eqIndex = arg.indexOf("=");
+      const longFlag = eqIndex === -1 ? arg : arg.slice(0, eqIndex);
+      if (XARGS_LONG_FLAGS_WITH_VALUE.has(longFlag)) {
+        if (eqIndex !== -1) {
+          i++;
+          continue;
+        }
+        if (i + 1 >= args2.length) return { subcommand: null, unresolved: true };
+        i += 2;
+        continue;
+      }
+      if (XARGS_LONG_FLAGS_NO_VALUE.has(longFlag)) {
+        i++;
+        continue;
+      }
+      return { subcommand: null, unresolved: true };
+    }
+    const short = arg[1];
+    if (XARGS_SHORT_FLAGS_WITH_VALUE.has(short)) {
+      if (arg.length > 2) {
+        i++;
+        continue;
+      }
+      if (i + 1 >= args2.length) return { subcommand: null, unresolved: true };
+      i += 2;
+      continue;
+    }
+    const grouped = arg.slice(1).split("");
+    const allKnownNoValue = grouped.every((ch) => XARGS_SHORT_FLAGS_NO_VALUE.has(ch));
+    if (allKnownNoValue) {
+      i++;
+      continue;
+    }
+    return { subcommand: null, unresolved: true };
+  }
+  if (i >= args2.length) {
+    return {
+      unresolved: false,
+      subcommand: {
+        command: "echo",
+        originalCommand: "echo",
+        args: [],
+        envPrefixes: [],
+        raw: "echo"
+      }
+    };
+  }
+  const subcommand = args2[i];
+  const subArgs = args2.slice(i + 1);
+  return {
+    unresolved: false,
+    subcommand: {
+      command: subcommand,
+      originalCommand: subcommand,
+      args: subArgs,
+      envPrefixes: [],
+      raw: [subcommand, ...subArgs].join(" ")
+    }
+  };
+}
+function evaluateXargsCommand(cmd, config, cwd, depth = 0) {
+  const { command, args: args2 } = cmd;
+  const { subcommand, unresolved } = parseXargsSubcommand(args2);
+  if (unresolved || !subcommand) {
+    return {
+      command,
+      args: args2,
+      decision: "ask",
+      reason: "xargs subcommand could not be resolved safely",
+      matchedRule: "xargs:subcommand"
+    };
+  }
+  const isShellExec = (subcommand.command === "sh" || subcommand.command === "bash" || subcommand.command === "zsh") && subcommand.args.length >= 2 && subcommand.args[0] === "-c";
+  let parsed;
+  if (isShellExec) {
+    const innerResult = parseCommand(subcommand.args[1]);
+    if (innerResult.parseError) {
+      parsed = { commands: [subcommand], hasSubshell: false, subshellCommands: [], parseError: false };
+    } else {
+      parsed = innerResult;
+    }
+  } else {
+    parsed = { commands: [subcommand], hasSubshell: false, subshellCommands: [], parseError: false };
+  }
+  const result = evaluate(parsed, config, cwd, depth + 1);
+  return {
+    command,
+    args: args2,
+    decision: result.decision,
+    reason: `xargs subcommand "${subcommand.command}": ${result.reason}`,
+    matchedRule: "xargs:subcommand"
+  };
+}
+function parseFindExecCommands(args2) {
+  const commands = [];
+  let i = 0;
+  while (i < args2.length) {
+    if (args2[i] === "-exec" || args2[i] === "-execdir") {
+      i++;
+      const cmdArgs = [];
+      while (i < args2.length && args2[i] !== ";" && args2[i] !== "+") {
+        if (args2[i] !== "{}") {
+          cmdArgs.push(args2[i]);
+        }
+        i++;
+      }
+      i++;
+      if (cmdArgs.length > 0) {
+        commands.push({
+          command: cmdArgs[0],
+          originalCommand: cmdArgs[0],
+          args: cmdArgs.slice(1),
+          envPrefixes: [],
+          raw: cmdArgs.join(" ")
+        });
+      }
+    } else {
+      i++;
+    }
+  }
+  return commands;
+}
+function evaluateFindCommand(cmd, config, cwd, depth = 0) {
+  const { command, args: args2 } = cmd;
+  if (args2.some((a) => a === "-delete")) {
+    return { command, args: args2, decision: "ask", reason: "find -delete can remove files", matchedRule: "find:delete" };
+  }
+  if (args2.some((a) => a === "-ok" || a === "-okdir")) {
+    return { command, args: args2, decision: "ask", reason: "find -ok/-okdir can execute commands interactively", matchedRule: "find:ok" };
+  }
+  const execCommands = parseFindExecCommands(args2);
+  if (execCommands.length === 0) {
+    return { command, args: args2, decision: "allow", reason: "find without dangerous flags", matchedRule: "find:safe" };
+  }
+  for (const execCmd of execCommands) {
+    const parsed = {
+      commands: [execCmd],
+      hasSubshell: false,
+      subshellCommands: [],
+      parseError: false
+    };
+    const result = evaluate(parsed, config, cwd, depth + 1);
+    if (result.decision === "deny") {
+      return { command, args: args2, decision: "deny", reason: `find -exec: ${result.reason}`, matchedRule: "find:exec" };
+    }
+    if (result.decision === "ask") {
+      return { command, args: args2, decision: "ask", reason: `find -exec: ${result.reason}`, matchedRule: "find:exec" };
+    }
+  }
+  return { command, args: args2, decision: "allow", reason: "find -exec commands are safe", matchedRule: "find:exec" };
+}
+var SSH_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
+  "-b",
+  "-c",
+  "-D",
+  "-E",
+  "-e",
+  "-F",
+  "-I",
+  "-i",
+  "-J",
+  "-L",
+  "-l",
+  "-m",
+  "-O",
+  "-o",
+  "-p",
+  "-Q",
+  "-R",
+  "-S",
+  "-W",
+  "-w"
+]);
+function findMatchingTarget(value, targets) {
+  return targets.find((t) => globToRegex(t.name).test(value)) || null;
+}
+function parseSSHArgs(args2) {
+  let host = null;
+  const remoteArgs = [];
+  let i = 0;
+  while (i < args2.length) {
+    const arg = args2[i];
+    if (SSH_FLAGS_WITH_VALUE.has(arg)) {
+      i += 2;
+      continue;
+    }
+    if (arg.startsWith("-")) {
+      i++;
+      continue;
+    }
+    if (!host) {
+      host = arg.includes("@") ? arg.split("@").pop() : arg;
+      i++;
+      while (i < args2.length) {
+        remoteArgs.push(args2[i]);
+        i++;
+      }
+      break;
+    }
+    i++;
+  }
+  return {
+    host,
+    remoteCommand: remoteArgs.length > 0 ? remoteArgs.map(shellQuote).join(" ") : null
+  };
+}
+function extractHostFromRemotePath(args2) {
+  for (const arg of args2) {
+    const match = arg.match(/^(?:[^@]+@)?([^:]+):/);
+    if (match) return match[1];
+  }
+  return null;
+}
+function evaluateSSHCommand(cmd, config, targets, depth = 0) {
+  const { command, args: args2 } = cmd;
+  if (command === "scp" || command === "rsync") {
+    const host2 = extractHostFromRemotePath(args2);
+    if (!host2) return null;
+    const target2 = findMatchingTarget(host2, targets);
+    if (!target2) return null;
+    if (target2.allowAll || !target2.overrides) {
+      return {
+        command,
+        args: args2,
+        decision: "allow",
+        reason: `Trusted SSH host "${host2}"${target2.allowAll ? " (allowAll)" : ""}`,
+        matchedRule: "trustedSSHHosts"
+      };
+    }
+    if (target2.overrides.alwaysDeny.some((name) => name === command)) {
+      return {
+        command,
+        args: args2,
+        decision: "deny",
+        reason: `Trusted SSH host "${host2}": "${command}" blocked by overrides`,
+        matchedRule: "trustedSSHHosts"
+      };
+    }
+    return {
+      command,
+      args: args2,
+      decision: "allow",
+      reason: `Trusted SSH host "${host2}"`,
+      matchedRule: "trustedSSHHosts"
+    };
+  }
+  const { host, remoteCommand } = parseSSHArgs(args2);
+  if (!host) return null;
+  const target = findMatchingTarget(host, targets);
+  if (!target) return null;
+  if (!remoteCommand) {
+    return {
+      command,
+      args: args2,
+      decision: "allow",
+      reason: `Trusted SSH host "${host}" (interactive)`,
+      matchedRule: "trustedSSHHosts"
+    };
+  }
+  if (target.allowAll) {
+    return {
+      command,
+      args: args2,
+      decision: "allow",
+      reason: `Trusted SSH host "${host}" (allowAll)`,
+      matchedRule: "trustedSSHHosts"
+    };
+  }
+  const parsed = parseCommand(remoteCommand);
+  const result = evaluate(parsed, configWithContextOverrides(config, target), depth + 1);
+  return {
+    command,
+    args: args2,
+    decision: result.decision,
+    reason: `Trusted SSH host "${host}": ${result.reason}`,
+    matchedRule: "trustedSSHHosts"
+  };
+}
+var DOCKER_EXEC_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
+  "-e",
+  "--env",
+  "--env-file",
+  "-u",
+  "--user",
+  "-w",
+  "--workdir",
+  "--detach-keys"
+]);
+var INTERACTIVE_SHELLS = /* @__PURE__ */ new Set(["bash", "sh", "zsh"]);
+function shellQuote(arg) {
+  if (/[\s"'\\$`!#&|;()<>]/.test(arg)) {
+    return `'${arg.replace(/'/g, "'\\''")}'`;
+  }
+  return arg;
+}
+function configWithContextOverrides(config, target) {
+  const overrideLayers = [];
+  if (target?.overrides) overrideLayers.push(target.overrides);
+  if (config.trustedContextOverrides) overrideLayers.push(config.trustedContextOverrides);
+  if (overrideLayers.length === 0) return config;
+  return {
+    ...config,
+    layers: [...overrideLayers, ...config.layers]
+  };
+}
+function evaluateRemoteCommand(remoteArgs, config, target, depth = 0) {
+  if (target?.allowAll) {
+    return { decision: "allow", reason: "allowAll target", details: [] };
+  }
+  const overriddenConfig = configWithContextOverrides(config, target);
+  if (remoteArgs.length === 0) {
+    return { decision: "allow", reason: "interactive", details: [] };
+  }
+  const remoteCmd = remoteArgs[0];
+  if (INTERACTIVE_SHELLS.has(remoteCmd) && remoteArgs.length === 1) {
+    return { decision: "allow", reason: "interactive shell", details: [] };
+  }
+  if (INTERACTIVE_SHELLS.has(remoteCmd) && remoteArgs[1] === "-c" && remoteArgs.length >= 3) {
+    const innerCommand = remoteArgs.slice(2).join(" ");
+    const parsed2 = parseCommand(innerCommand);
+    return evaluate(parsed2, overriddenConfig, depth + 1);
+  }
+  const parsed = {
+    commands: [{ command: remoteCmd, originalCommand: remoteCmd, args: remoteArgs.slice(1), envPrefixes: [], raw: remoteArgs.join(" ") }],
+    hasSubshell: false,
+    subshellCommands: [],
+    parseError: false
+  };
+  return evaluate(parsed, overriddenConfig, depth + 1);
 }
-var USER_CONFIG_PATHS = [
-  (0, import_path3.join)((0, import_os2.homedir)(), ".claude", "warden.yaml"),
-  (0, import_path3.join)((0, import_os2.homedir)(), ".claude", "warden.json")
-];
-var PROJECT_CONFIG_NAMES = [
-  ".claude/warden.yaml",
-  ".claude/warden.json"
-];
-function loadConfig(cwd) {
-  const config = structuredClone(DEFAULT_CONFIG);
-  const defaultLayer = config.layers[0];
-  let userLayer = null;
-  let userRaw = null;
-  for (const configPath of USER_CONFIG_PATHS) {
-    const result = tryLoadFile(configPath);
-    if (result) {
-      userLayer = extractLayer(result);
-      userRaw = result;
+function parseDockerExecArgs(args2) {
+  let target = null;
+  const remoteArgs = [];
+  let i = 0;
+  while (i < args2.length) {
+    const arg = args2[i];
+    if (DOCKER_EXEC_FLAGS_WITH_VALUE.has(arg)) {
+      i += 2;
+      continue;
+    }
+    if (arg.startsWith("-")) {
+      i++;
+      continue;
+    }
+    if (!target) {
+      target = arg;
+      i++;
+      while (i < args2.length) {
+        remoteArgs.push(args2[i]);
+        i++;
+      }
       break;
     }
+    i++;
   }
-  let workspaceLayer = null;
-  let workspaceRaw = null;
-  if (cwd) {
-    for (const name of PROJECT_CONFIG_NAMES) {
-      const result = tryLoadFile((0, import_path3.join)(cwd, name));
-      if (result) {
-        workspaceLayer = extractLayer(result);
-        workspaceRaw = result;
-        break;
+  return { target, remoteArgs };
+}
+function evaluateDockerExec(cmd, config, targets, depth = 0) {
+  const { command, args: args2 } = cmd;
+  if (args2[0] !== "exec") return null;
+  const { target: containerName, remoteArgs } = parseDockerExecArgs(args2.slice(1));
+  if (!containerName) return null;
+  const matched = findMatchingTarget(containerName, targets);
+  if (!matched) return null;
+  const result = evaluateRemoteCommand(remoteArgs, config, matched, depth);
+  return {
+    command,
+    args: args2,
+    decision: result.decision,
+    reason: `Trusted Docker container "${containerName}" (${result.reason})`,
+    matchedRule: "trustedDockerContainers"
+  };
+}
+var KUBECTL_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
+  "-n",
+  "--namespace",
+  "-c",
+  "--container",
+  "--context",
+  "--cluster",
+  "--kubeconfig",
+  "-s",
+  "--server",
+  "--token",
+  "--user",
+  "--as",
+  "--as-group",
+  "--certificate-authority",
+  "--client-certificate",
+  "--client-key",
+  "-l",
+  "--selector",
+  "-f",
+  "--filename",
+  "--cache-dir",
+  "--request-timeout",
+  "-o",
+  "--output"
+]);
+function parseKubectlExecArgs(args2) {
+  let context = null;
+  let pod = null;
+  const remoteArgs = [];
+  let i = 0;
+  while (i < args2.length) {
+    const arg = args2[i];
+    if (arg === "--") {
+      i++;
+      while (i < args2.length) {
+        remoteArgs.push(args2[i]);
+        i++;
       }
+      break;
+    }
+    if (arg.startsWith("--") && arg.includes("=")) {
+      if (arg.startsWith("--context=")) {
+        context = arg.split("=")[1];
+      }
+      i++;
+      continue;
+    }
+    if (KUBECTL_FLAGS_WITH_VALUE.has(arg)) {
+      if (arg === "--context") context = args2[i + 1] || null;
+      i += 2;
+      continue;
+    }
+    if (arg.startsWith("-")) {
+      i++;
+      continue;
+    }
+    if (!pod) {
+      pod = arg;
     }
+    i++;
   }
-  config.layers = [
-    ...workspaceLayer ? [workspaceLayer] : [],
-    ...userLayer ? [userLayer] : [],
-    defaultLayer
-  ];
-  if (userRaw) mergeNonLayerFields(config, userRaw);
-  if (workspaceRaw) mergeNonLayerFields(config, workspaceRaw);
-  return config;
+  return { context, pod, remoteArgs };
 }
-function tryLoadFile(filePath) {
-  if (!(0, import_fs.existsSync)(filePath)) return null;
-  try {
-    const raw = (0, import_fs.readFileSync)(filePath, "utf-8");
-    const parsed = filePath.endsWith(".yaml") || filePath.endsWith(".yml") ? (0, import_yaml.parse)(raw) : JSON.parse(raw);
-    if (parsed && typeof parsed === "object") {
-      return parsed;
+function evaluateKubectlExec(cmd, config, targets, depth = 0) {
+  const { command, args: args2 } = cmd;
+  if (args2[0] !== "exec") return null;
+  const { context, pod, remoteArgs } = parseKubectlExecArgs(args2.slice(1));
+  if (!context) return null;
+  const matched = findMatchingTarget(context, targets);
+  if (!matched) return null;
+  const result = evaluateRemoteCommand(remoteArgs, config, matched, depth);
+  return {
+    command,
+    args: args2,
+    decision: result.decision,
+    reason: `Trusted kubectl context "${context}"${pod ? `, pod "${pod}"` : ""} (${result.reason})`,
+    matchedRule: "trustedKubectlContexts"
+  };
+}
+var SPRITE_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
+  "-o",
+  "--org",
+  "-s",
+  "--sprite"
+]);
+function parseSpriteExecArgs(args2) {
+  let spriteName = null;
+  const remoteArgs = [];
+  let foundExec = false;
+  let i = 0;
+  while (i < args2.length) {
+    const arg = args2[i];
+    if (arg.startsWith("--") && arg.includes("=")) {
+      if (arg.startsWith("--sprite=")) {
+        spriteName = arg.split("=")[1];
+      }
+      i++;
+      continue;
     }
-  } catch (err) {
-    process.stderr.write(`[warden] Warning: failed to parse config ${filePath}: ${err instanceof Error ? err.message : String(err)}
-`);
+    if (SPRITE_FLAGS_WITH_VALUE.has(arg)) {
+      if (arg === "-s" || arg === "--sprite") {
+        spriteName = args2[i + 1] || null;
+      }
+      i += 2;
+      continue;
+    }
+    if (arg === "--debug") {
+      i++;
+      continue;
+    }
+    if (arg.startsWith("-")) {
+      i++;
+      continue;
+    }
+    if (!foundExec) {
+      if (arg === "exec" || arg === "x" || arg === "console" || arg === "c") {
+        foundExec = true;
+        i++;
+        continue;
+      }
+      return { spriteName: null, remoteArgs: [] };
+    }
+    while (i < args2.length) {
+      remoteArgs.push(args2[i]);
+      i++;
+    }
+    break;
   }
-  return null;
+  return { spriteName, remoteArgs };
+}
+function evaluateSpriteExec(cmd, config, targets, depth = 0) {
+  const { command, args: args2 } = cmd;
+  const { spriteName, remoteArgs } = parseSpriteExecArgs(args2);
+  if (!spriteName) return null;
+  const matched = findMatchingTarget(spriteName, targets);
+  if (!matched) return null;
+  const result = evaluateRemoteCommand(remoteArgs, config, matched, depth);
+  return {
+    command,
+    args: args2,
+    decision: result.decision,
+    reason: `Trusted sprite "${spriteName}" (${result.reason})`,
+    matchedRule: "trustedSprites"
+  };
 }
-var KNOWN_COMMANDS = /* @__PURE__ */ new Set([
-  ...DEFAULT_CONFIG.layers[0].alwaysAllow,
-  ...DEFAULT_CONFIG.layers[0].alwaysDeny,
-  ...DEFAULT_CONFIG.layers[0].rules.map((r) => r.command)
+var FLY_SSH_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
+  "-a",
+  "--app",
+  "-C",
+  "--command",
+  "-o",
+  "--org",
+  "-r",
+  "--region",
+  "-u",
+  "--user",
+  "--address"
 ]);
-function warnArgPatternCommandMismatch(rule) {
-  if (!Array.isArray(rule.argPatterns)) return;
-  for (const pattern of rule.argPatterns) {
-    const matchers = [
-      ...pattern.match?.anyArgMatches || [],
-      ...pattern.match?.argsMatch || []
-    ];
-    for (const m of matchers) {
-      const literals = extractLiteralsFromPattern(m);
-      for (const lit of literals) {
-        if (lit !== rule.command && KNOWN_COMMANDS.has(lit)) {
-          process.stderr.write(
-            `[warden] Warning: rule for "${rule.command}" has argPattern matching "${lit}" \u2014 this won't work as expected. Rules are matched by the command being run, not its arguments. If you want to control "${lit}", add a separate rule with command: "${lit}".
-`
-          );
-        }
-      }
+function parseFlySSHArgs(args2) {
+  let app = null;
+  const remoteArgs = [];
+  let isSSH = false;
+  let foundConsole = false;
+  let i = 0;
+  while (i < args2.length) {
+    const arg = args2[i];
+    if (arg.startsWith("--app=")) {
+      app = arg.slice(6);
+      i++;
+      continue;
     }
-  }
-}
-function extractLiteralsFromPattern(pattern) {
-  let cleaned = pattern.replace(/^\^?\(?(.*?)\)?\$?$/, "$1");
-  return cleaned.split("|").map((s) => s.trim()).filter((s) => /^[a-z][a-z0-9_-]*$/i.test(s));
-}
-function extractLayer(raw) {
-  const rules = Array.isArray(raw.rules) ? raw.rules : [];
-  for (const rule of rules) {
-    if (rule && typeof rule === "object") {
-      if (rule.default && !isValidDecision(rule.default)) {
-        process.stderr.write(`[warden] Warning: invalid rule default "${rule.default}" for "${rule.command}", using "ask"
-`);
-        rule.default = "ask";
+    if (FLY_SSH_FLAGS_WITH_VALUE.has(arg)) {
+      if (arg === "-a" || arg === "--app") {
+        app = args2[i + 1] || null;
       }
-      if (Array.isArray(rule.argPatterns)) {
-        for (const pattern of rule.argPatterns) {
-          if (pattern?.decision && !isValidDecision(pattern.decision)) {
-            process.stderr.write(`[warden] Warning: invalid pattern decision "${pattern.decision}" for "${rule.command}", using "ask"
-`);
-            pattern.decision = "ask";
+      if ((arg === "-C" || arg === "--command") && foundConsole) {
+        const cmdValue = args2[i + 1];
+        if (cmdValue) {
+          const parsed = parseCommand(cmdValue);
+          if (!parsed.parseError && parsed.commands.length > 0) {
+            const cmd = parsed.commands[0];
+            remoteArgs.push(cmd.command, ...cmd.args);
           }
         }
+        i += 2;
+        continue;
       }
-      warnArgPatternCommandMismatch(rule);
+      i += 2;
+      continue;
     }
-  }
-  return {
-    alwaysAllow: Array.isArray(raw.alwaysAllow) ? raw.alwaysAllow : [],
-    alwaysDeny: Array.isArray(raw.alwaysDeny) ? raw.alwaysDeny : [],
-    rules
-  };
-}
-function parseTrustedList(raw) {
-  return raw.map((entry) => {
-    if (typeof entry === "string") return { name: entry };
-    if (entry && typeof entry === "object" && "name" in entry) {
-      const obj = entry;
-      const target = { name: String(obj.name) };
-      if (obj.allowAll === true) target.allowAll = true;
-      if (obj.overrides && typeof obj.overrides === "object") {
-        target.overrides = extractLayer(obj.overrides);
+    if (arg === "--") {
+      i++;
+      while (i < args2.length) {
+        remoteArgs.push(args2[i]);
+        i++;
       }
-      return target;
+      break;
     }
-    return null;
-  }).filter((t) => t !== null);
-}
-var VALID_REMOTE_CONTEXTS = /* @__PURE__ */ new Set(["ssh", "docker", "kubectl", "sprite", "fly"]);
-function parseTrustedRemotes(raw) {
-  const results = [];
-  for (const entry of raw) {
-    if (!entry || typeof entry !== "object") continue;
-    const obj = entry;
-    const context = String(obj.context || "");
-    if (!VALID_REMOTE_CONTEXTS.has(context)) {
-      process.stderr.write(`[warden] Warning: unknown remote context "${context}", skipping
-`);
+    if (arg.startsWith("-")) {
+      i++;
       continue;
     }
-    const name = String(obj.name || "");
-    if (!name) continue;
-    const remote = { name, context };
-    if (obj.allowAll === true) remote.allowAll = true;
-    if (obj.overrides && typeof obj.overrides === "object") {
-      remote.overrides = extractLayer(obj.overrides);
+    if (!isSSH && arg === "ssh") {
+      isSSH = true;
+      i++;
+      continue;
     }
-    results.push(remote);
-  }
-  return results;
-}
-function parseTargetPolicies(raw) {
-  const results = [];
-  for (const entry of raw) {
-    if (!entry || typeof entry !== "object") continue;
-    const obj = entry;
-    const type = String(obj.type || "");
-    const rawDecision = String(obj.decision || "allow");
-    const decision = isValidDecision(rawDecision) ? rawDecision : "allow";
-    const base = {
-      commands: Array.isArray(obj.commands) ? obj.commands.map(String) : void 0,
-      decision,
-      reason: obj.reason ? String(obj.reason) : void 0,
-      allowAll: obj.allowAll === true ? true : void 0
-    };
-    switch (type) {
-      case "path": {
-        const path = String(obj.path || "");
-        if (!path) continue;
-        const policy = { ...base, type: "path", path };
-        if (obj.recursive === false) policy.recursive = false;
-        results.push(policy);
-        break;
-      }
-      case "database": {
-        const host = String(obj.host || "");
-        if (!host) continue;
-        const policy = { ...base, type: "database", host };
-        if (typeof obj.port === "number") policy.port = obj.port;
-        if (obj.database) policy.database = String(obj.database);
-        results.push(policy);
-        break;
-      }
-      case "endpoint": {
-        const pattern = String(obj.pattern || "");
-        if (!pattern) continue;
-        results.push({ ...base, type: "endpoint", pattern });
-        break;
-      }
-      default:
-        process.stderr.write(`[warden] Warning: unknown target policy type "${type}", skipping
-`);
+    if (isSSH && !foundConsole && (arg === "console" || arg === "sftp")) {
+      foundConsole = true;
+      i++;
+      continue;
     }
+    i++;
   }
-  return results;
-}
-function parseLegacyPaths(raw) {
-  const results = [];
-  for (const e of raw) {
-    if (!e || typeof e !== "object") continue;
-    const obj = e;
-    const decision = String(obj.decision || "allow");
-    if (!isValidDecision(decision)) continue;
-    const path = String(obj.path || "");
-    if (!path) continue;
-    const tp = { type: "path", path, decision };
-    if (obj.recursive === false) tp.recursive = false;
-    if (Array.isArray(obj.commands)) tp.commands = obj.commands.map(String);
-    if (obj.reason) tp.reason = String(obj.reason);
-    results.push(tp);
-  }
-  return results;
-}
-function parseLegacyDatabases(raw) {
-  const results = [];
-  for (const e of raw) {
-    if (!e || typeof e !== "object") continue;
-    const obj = e;
-    const decision = String(obj.decision || "allow");
-    if (!isValidDecision(decision)) continue;
-    const host = String(obj.host || "");
-    if (!host) continue;
-    const td = { type: "database", host, decision };
-    if (typeof obj.port === "number") td.port = obj.port;
-    if (obj.database) td.database = String(obj.database);
-    if (Array.isArray(obj.commands)) td.commands = obj.commands.map(String);
-    if (obj.reason) td.reason = String(obj.reason);
-    results.push(td);
-  }
-  return results;
+  return { app, remoteArgs, isSSH: isSSH && foundConsole };
 }
-function parseLegacyEndpoints(raw) {
-  const results = [];
-  for (const e of raw) {
-    if (!e || typeof e !== "object") continue;
-    const obj = e;
-    const decision = String(obj.decision || "allow");
-    if (!isValidDecision(decision)) continue;
-    const pattern = String(obj.pattern || "");
-    if (!pattern) continue;
-    const te = { type: "endpoint", pattern, decision };
-    if (Array.isArray(obj.commands)) te.commands = obj.commands.map(String);
-    if (obj.reason) te.reason = String(obj.reason);
-    results.push(te);
-  }
-  return results;
+function evaluateFlyCommand(cmd, config, targets, depth = 0) {
+  const { command, args: args2 } = cmd;
+  const { app, remoteArgs, isSSH } = parseFlySSHArgs(args2);
+  if (!isSSH) return null;
+  if (!app) return null;
+  const matched = findMatchingTarget(app, targets);
+  if (!matched) return null;
+  const result = evaluateRemoteCommand(remoteArgs, config, matched, depth);
+  return {
+    command,
+    args: args2,
+    decision: result.decision,
+    reason: `Trusted Fly app "${app}" (${result.reason})`,
+    matchedRule: "trustedFlyApps"
+  };
 }
-var LEGACY_REMOTE_MAP = {
-  trustedSSHHosts: "ssh",
-  trustedDockerContainers: "docker",
-  trustedKubectlContexts: "kubectl",
-  trustedSprites: "sprite",
-  trustedFlyApps: "fly"
-};
-function mergeNonLayerFields(config, raw) {
-  if (Array.isArray(raw.trustedRemotes)) {
-    config.trustedRemotes = [...config.trustedRemotes || [], ...parseTrustedRemotes(raw.trustedRemotes)];
-  }
-  if (Array.isArray(raw.targetPolicies)) {
-    config.targetPolicies = [...config.targetPolicies || [], ...parseTargetPolicies(raw.targetPolicies)];
-  }
-  for (const [key, context] of Object.entries(LEGACY_REMOTE_MAP)) {
-    if (Array.isArray(raw[key])) {
-      const remotes = parseTrustedList(raw[key]).map((t) => ({ ...t, context }));
-      config.trustedRemotes = [...config.trustedRemotes || [], ...remotes];
-    }
-  }
-  if (Array.isArray(raw.trustedPaths)) {
-    config.targetPolicies = [...config.targetPolicies || [], ...parseLegacyPaths(raw.trustedPaths)];
-  }
-  if (Array.isArray(raw.trustedDatabases)) {
-    config.targetPolicies = [...config.targetPolicies || [], ...parseLegacyDatabases(raw.trustedDatabases)];
-  }
-  if (Array.isArray(raw.trustedEndpoints)) {
-    config.targetPolicies = [...config.targetPolicies || [], ...parseLegacyEndpoints(raw.trustedEndpoints)];
-  }
-  if (typeof raw.defaultDecision === "string") {
-    if (isValidDecision(raw.defaultDecision)) {
-      config.defaultDecision = raw.defaultDecision;
-    } else {
-      process.stderr.write(`[warden] Warning: invalid defaultDecision "${raw.defaultDecision}", ignoring
-`);
-    }
-  }
-  if (typeof raw.askOnSubshell === "boolean") {
-    config.askOnSubshell = raw.askOnSubshell;
-  }
-  if (typeof raw.notifyOnAsk === "boolean") {
-    config.notifyOnAsk = raw.notifyOnAsk;
-  }
-  if (typeof raw.notifyOnDeny === "boolean") {
-    config.notifyOnDeny = raw.notifyOnDeny;
-  }
-  if (raw.trustedContextOverrides && typeof raw.trustedContextOverrides === "object") {
-    const overrides = raw.trustedContextOverrides;
-    const layer = extractLayer(overrides);
-    if (config.trustedContextOverrides) {
-      config.trustedContextOverrides = {
-        alwaysAllow: [...layer.alwaysAllow, ...config.trustedContextOverrides.alwaysAllow],
-        alwaysDeny: [...layer.alwaysDeny, ...config.trustedContextOverrides.alwaysDeny],
-        rules: [...layer.rules, ...config.trustedContextOverrides.rules]
-      };
-    } else {
-      config.trustedContextOverrides = layer;
-    }
-  }
+// src/core.ts
+function wardenEvalWithConfig(command, config, cwd) {
+  const parsed = parseCommand(command);
+  return evaluate(parsed, config, cwd);
 }
 // src/suggest.ts
@@ -20865,11 +20846,10 @@ async function main() {
     process.exit(0);
   }
   const config = loadConfig(input.cwd);
+  const result = wardenEvalWithConfig(command, config, input.cwd);
   const yoloState = getYoloState(input.session_id);
   if (yoloState) {
-    const parsed2 = parseCommand(command);
-    const result2 = evaluate(parsed2, config, input.cwd);
-    if (result2.decision === "deny" && !yoloState.bypassDeny) {
+    if (result.decision === "deny" && !yoloState.bypassDeny) {
     } else {
       const expiryInfo = yoloState.expiresAt ? `expires ${new Date(yoloState.expiresAt).toLocaleTimeString()}` : "full session";
       const output2 = {
@@ -20883,8 +20863,6 @@ async function main() {
       process.exit(0);
     }
   }
-  const parsed = parseCommand(command);
-  const result = evaluate(parsed, config, input.cwd);
   if (result.decision === "allow") {
     const output2 = {
       hookSpecificOutput: {