claude-warden 2.4.1 → 2.5.0

package/.claude-plugin/marketplace.json

@@ -8,7 +8,7 @@
     {
       "name": "warden",
       "description": "Auto-approves safe commands, blocks dangerous ones, prompts for the rest",
-      "version": "2.4.1",
+      "version": "2.5.0",
       "author": {
         "name": "banyudu"
       },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "warden",
-  "version": "2.4.1",
+  "version": "2.5.0",
   "description": "Smart command safety filter for Claude Code — parses shell pipelines and evaluates per-command safety rules to auto-approve safe commands and block dangerous ones",
   "author": {
     "name": "banyudu"

package/README.md

@@ -104,27 +104,62 @@ cd claude-warden && npm install && npm run build
 claude --plugin-dir ./claude-warden
 ```
 
-## Codex CLI (experimental)
+## Codex CLI
 
-Codex currently uses `execpolicy` (`.rules` files) for command approvals. Warden can export your effective command-level decisions to a Codex rules file:
+Codex supports [PreToolUse hooks](https://developers.openai.com/codex/hooks) with a wire protocol nearly identical to Claude Code's, so the **same** Warden hook binary works natively — no rule export needed.
+
+### Setup
+
+1. Install Warden globally so the `warden-hook` binary lands in your `PATH`:
 
 ```bash
-pnpm run build
-pnpm run codex:export-rules
+npm install -g claude-warden
+```
+
+2. Drop the following into `~/.codex/hooks.json` (user-wide) or `<repo>/.codex/hooks.json` (project-scoped):
+
+```json
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "warden-hook",
+            "statusMessage": "Checking Bash command with Warden"
+          }
+        ]
+      }
+    ]
+  }
+}
 ```
 
-This writes `.codex/rules/warden.rules` in the current project by default.
+A ready-to-use template ships at [`.codex/hooks.json`](.codex/hooks.json). If `warden-hook` isn't on your `PATH` (e.g. non-global install), use the absolute path instead: `node /path/to/claude-warden/dist/index.cjs`.
 
-- Use `--cwd <dir>` to choose which workspace config to load.
-- Use `--out <path>` to choose an output path.
-- Use `--stdout` to print the generated rules.
+### How it works
+
+Codex sends the same `{tool_name, tool_input.command, cwd, session_id, ...}` payload on stdin and accepts the same `hookSpecificOutput.permissionDecision` response as Claude Code. The identical `dist/index.cjs` binary runs the full parser/evaluator pipeline — trusted hosts, YOLO mode, argument-aware rules, and all. The same `~/.claude/warden.yaml` and `.claude/warden.yaml` config files drive both.
+
+### Known Codex limitations
 
-Example:
+- **Bash only** — Codex PreToolUse currently intercepts only shell commands; MCP, Write, and WebSearch tools are not hooked.
+- **Work in progress upstream** — Codex's hook system may miss some shell invocations. Treat it as defense-in-depth, not a hard sandbox.
+- **`deny` is authoritative; `allow`/`ask` fail open** — Codex currently honors `deny` (and exit code 2) but treats `allow`/`ask` as "fail open" (command proceeds). This is safe: Warden's deny list still blocks dangerous commands.
+- **No undo** — hooks cannot revert a command that has already executed.
+
+### Fallback: static rule export
+
+For environments where the hook approach isn't viable, Warden can still export a static `execpolicy` rules file:
 
 ```bash
-node dist/codex-export.cjs --cwd . --out .codex/rules/warden.rules
+pnpm run codex:export-rules   # writes .codex/rules/warden.rules
 ```
 
+Use `--cwd <dir>`, `--out <path>`, or `--stdout` to customize. This snapshot loses dynamic behavior (trusted hosts, YOLO, etc.) but works with older Codex setups.
+
 ## GitHub Copilot CLI
 
 Warden supports GitHub Copilot CLI's [preToolUse hook](https://docs.github.com/en/copilot/reference/hooks-configuration) natively.

package/dist/cli.cjs

@@ -1,3 +1,4 @@
+#!/usr/bin/env node
 "use strict";
 var __create = Object.create;
 var __defProp = Object.defineProperty;

package/dist/codex-export.cjs

@@ -1,3 +1,4 @@
+#!/usr/bin/env node
 "use strict";
 var __create = Object.create;
 var __defProp = Object.defineProperty;

package/dist/copilot.cjs

@@ -1,3 +1,4 @@
+#!/usr/bin/env node
 "use strict";
 var __create = Object.create;
 var __defProp = Object.defineProperty;

package/dist/index.cjs

@@ -1,3 +1,4 @@
+#!/usr/bin/env node
 "use strict";
 var __create = Object.create;
 var __defProp = Object.defineProperty;

package/package.json

@@ -1,11 +1,12 @@
 {
   "name": "claude-warden",
-  "version": "2.4.1",
+  "version": "2.5.0",
   "description": "Smart command safety filter for Claude Code — auto-approves safe commands, blocks dangerous ones",
   "type": "module",
   "main": "dist/index.cjs",
   "bin": {
-    "warden": "dist/cli.cjs"
+    "warden": "dist/cli.cjs",
+    "warden-hook": "dist/index.cjs"
   },
   "license": "MIT",
   "author": "banyudu",
@@ -34,16 +35,6 @@
     "README.md",
     "LICENSE"
   ],
-  "dependencies": {
-    "bash-parser": "npm:@banyudu/bash-parser@0.5.2",
-    "yaml": "^2.4.0"
-  },
-  "devDependencies": {
-    "@types/node": "^20.0.0",
-    "tsup": "^8.0.0",
-    "typescript": "^5.4.0",
-    "vitest": "^1.6.0"
-  },
   "scripts": {
     "build": "tsup",
     "dev": "tsup --watch",
@@ -57,7 +48,19 @@
     "release": "scripts/release.sh patch",
     "release:minor": "scripts/release.sh minor",
     "release:major": "scripts/release.sh major",
+    "prepublishOnly": "pnpm run sync-plugin-version && pnpm run build && pnpm run test",
+    "postpublish": "claude plugin update claude-warden@local 2>/dev/null; claude plugin update warden@claude-warden 2>/dev/null; echo 'Plugin caches updated'",
     "docs:dev": "cd docs-src && pnpm dev",
     "docs:build": "cd docs-src && pnpm install && pnpm build"
+  },
+  "dependencies": {
+    "bash-parser": "npm:@banyudu/bash-parser@0.5.2",
+    "yaml": "^2.4.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "tsup": "^8.0.0",
+    "typescript": "^5.4.0",
+    "vitest": "^1.6.0"
   }
-}
+}