claude-warden 2.4.0 → 2.5.0

package/.claude-plugin/marketplace.json

@@ -8,7 +8,7 @@
     {
       "name": "warden",
       "description": "Auto-approves safe commands, blocks dangerous ones, prompts for the rest",
-      "version": "2.4.0",
+      "version": "2.5.0",
       "author": {
         "name": "banyudu"
       },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "warden",
-  "version": "2.4.0",
+  "version": "2.5.0",
   "description": "Smart command safety filter for Claude Code — parses shell pipelines and evaluates per-command safety rules to auto-approve safe commands and block dangerous ones",
   "author": {
     "name": "banyudu"

package/README.md

@@ -104,27 +104,62 @@ cd claude-warden && npm install && npm run build
 claude --plugin-dir ./claude-warden
 ```
 
-## Codex CLI (experimental)
+## Codex CLI
 
-Codex currently uses `execpolicy` (`.rules` files) for command approvals. Warden can export your effective command-level decisions to a Codex rules file:
+Codex supports [PreToolUse hooks](https://developers.openai.com/codex/hooks) with a wire protocol nearly identical to Claude Code's, so the **same** Warden hook binary works natively — no rule export needed.
+
+### Setup
+
+1. Install Warden globally so the `warden-hook` binary lands in your `PATH`:
 
 ```bash
-pnpm run build
-pnpm run codex:export-rules
+npm install -g claude-warden
+```
+
+2. Drop the following into `~/.codex/hooks.json` (user-wide) or `<repo>/.codex/hooks.json` (project-scoped):
+
+```json
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "warden-hook",
+            "statusMessage": "Checking Bash command with Warden"
+          }
+        ]
+      }
+    ]
+  }
+}
 ```
 
-This writes `.codex/rules/warden.rules` in the current project by default.
+A ready-to-use template ships at [`.codex/hooks.json`](.codex/hooks.json). If `warden-hook` isn't on your `PATH` (e.g. non-global install), use the absolute path instead: `node /path/to/claude-warden/dist/index.cjs`.
 
-- Use `--cwd <dir>` to choose which workspace config to load.
-- Use `--out <path>` to choose an output path.
-- Use `--stdout` to print the generated rules.
+### How it works
+
+Codex sends the same `{tool_name, tool_input.command, cwd, session_id, ...}` payload on stdin and accepts the same `hookSpecificOutput.permissionDecision` response as Claude Code. The identical `dist/index.cjs` binary runs the full parser/evaluator pipeline — trusted hosts, YOLO mode, argument-aware rules, and all. The same `~/.claude/warden.yaml` and `.claude/warden.yaml` config files drive both.
+
+### Known Codex limitations
 
-Example:
+- **Bash only** — Codex PreToolUse currently intercepts only shell commands; MCP, Write, and WebSearch tools are not hooked.
+- **Work in progress upstream** — Codex's hook system may miss some shell invocations. Treat it as defense-in-depth, not a hard sandbox.
+- **`deny` is authoritative; `allow`/`ask` fail open** — Codex currently honors `deny` (and exit code 2) but treats `allow`/`ask` as "fail open" (command proceeds). This is safe: Warden's deny list still blocks dangerous commands.
+- **No undo** — hooks cannot revert a command that has already executed.
+
+### Fallback: static rule export
+
+For environments where the hook approach isn't viable, Warden can still export a static `execpolicy` rules file:
 
 ```bash
-node dist/codex-export.cjs --cwd . --out .codex/rules/warden.rules
+pnpm run codex:export-rules   # writes .codex/rules/warden.rules
 ```
 
+Use `--cwd <dir>`, `--out <path>`, or `--stdout` to customize. This snapshot loses dynamic behavior (trusted hosts, YOLO, etc.) but works with older Codex setups.
+
 ## GitHub Copilot CLI
 
 Warden supports GitHub Copilot CLI's [preToolUse hook](https://docs.github.com/en/copilot/reference/hooks-configuration) natively.