claude-warden 2.6.0 → 2.8.0

package/.claude-plugin/marketplace.json

@@ -8,7 +8,7 @@
     {
       "name": "warden",
       "description": "Auto-approves safe commands, blocks dangerous ones, prompts for the rest",
-      "version": "2.6.0",
+      "version": "2.8.0",
       "author": {
         "name": "banyudu"
       },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "warden",
-  "version": "2.6.0",
+  "version": "2.8.0",
   "description": "Smart command safety filter for Claude Code — parses shell pipelines and evaluates per-command safety rules to auto-approve safe commands and block dangerous ones",
   "author": {
     "name": "banyudu"

package/config/warden.default.yaml

@@ -19,6 +19,26 @@ askOnSubshell: true
 notifyOnAsk: true
 notifyOnDeny: true
 
+# Guidance injected into every Claude Code session via the SessionStart hook.
+# Claude sees this as a system message, so it can shape tool choice *before*
+# warden needs to ask or deny. Keep it short — it competes for context.
+#
+# - Omit the key to use the built-in default (prefer jq, save temp scripts to
+#   tempScriptDir below, read deny reasons, mention /warden:allow and /warden:yolo).
+# - Set to a string to override with your own guidance.
+# - Set to `false` to disable injection entirely.
+#
+# sessionGuidance: |
+#   Warden is active. Prefer allow-listed tools (e.g. jq for JSON). For
+#   multi-line logic, save a temp script under /tmp/ instead of using
+#   inline `bash -c` / `node -e`.
+
+# Directory the built-in guidance tells Claude to save throwaway multi-line
+# scripts to. Defaults to `/tmp` so scripts don't pollute the repo. Point at
+# another location (e.g. `.warden-scratch`) if you want them tracked per-project.
+# Only used when `sessionGuidance` is unset.
+# tempScriptDir: /tmp
+
 # Additional commands to always allow (checked after alwaysDeny within this scope)
 # alwaysAllow:
 #   - terraform
@@ -175,3 +195,25 @@ notifyOnDeny: true
 #           anyArgMatches: ['^(ps|images|logs)$']
 #         decision: allow
 #         description: Read-only docker commands
+
+# Skill (slash command) rules — filter Claude Code skill invocations.
+# Skill names use the short form (e.g. "commit", not "/commit").
+# Glob patterns supported for namespace matching (e.g. "example-plugin:*").
+# Built-in defaults auto-allow common safe skills (commit, review, simplify, init).
+# skills:
+#   defaultDecision: ask
+#   alwaysAllow:
+#     - commit
+#     - review
+#     - simplify
+#     - "example-plugin:*"
+#   alwaysDeny:
+#     - deploy
+#   rules:
+#     - skill: release
+#       default: ask
+#       argPatterns:
+#         - match:
+#             argsMatch: ["--dry-run"]
+#           decision: allow
+#           description: Dry-run release is safe

package/dist/cli.cjs

@@ -18888,6 +18888,63 @@ function pkgRunnerRule(command) {
     ]
   };
 }
+var DEFAULT_SKILL_RULES = {
+  defaultDecision: "ask",
+  layers: [{
+    alwaysAllow: [
+      // Built-in review/analysis skills
+      "review",
+      "security-review",
+      // Code review plugins
+      "code-review:code-review",
+      "pr-review-toolkit:review-pr",
+      // Slack read-only skills
+      "slack:find-discussions",
+      "slack:summarize-channel",
+      "slack:channel-digest",
+      "slack:standup",
+      "slack:draft-announcement",
+      "slack:slack-messaging",
+      "slack:slack-search",
+      // Search/summarization
+      "promptfolio-summarize",
+      "promptfolio-search-skills",
+      "promptfolio-search-people",
+      // Informational/guidance skills
+      "keybindings-help",
+      "claude-api",
+      "azure-tools:azure-usage",
+      "gcloud-tools:gcloud-usage",
+      "linear-tools:linear-usage",
+      "tavily-tools:tavily-usage",
+      "mongodb-tools:mongodb-usage",
+      "supabase-tools:supabase-usage",
+      "playwright-tools:playwright-testing",
+      // Plugin development guidance (read-only context loading)
+      "plugin-dev:agent-development",
+      "plugin-dev:mcp-integration",
+      "plugin-dev:skill-development",
+      "plugin-dev:plugin-settings",
+      "plugin-dev:command-development",
+      "plugin-dev:plugin-structure",
+      "plugin-dev:hook-development"
+    ],
+    alwaysDeny: [],
+    rules: []
+  }]
+};
+var DEFAULT_TEMP_SCRIPT_DIR = "/tmp";
+function buildDefaultSessionGuidance(tempScriptDir) {
+  return [
+    "Claude Warden is active. It filters Bash commands against safety rules and may ask or deny.",
+    "",
+    "- For JSON in shell pipelines, prefer `jq` (auto-allowed) over `python3 -c` / `node -e`.",
+    `- For multi-line logic, save a temp script under \`${tempScriptDir}/\` (e.g. \`${tempScriptDir}/warden-task.sh\`) or add a \`package.json\` script rather than inline \`bash -c\` / \`node -e\`. Avoid polluting the repo with throwaway scripts.`,
+    "- When Warden denies or asks, read the reason \u2014 it often names the preferred alternative.",
+    "- To permanently allow a specific command, run `/warden:allow <cmd>`. To temporarily bypass filtering, `/warden:yolo`."
+  ].join("\n");
+}
+var DEFAULT_SESSION_GUIDANCE = buildDefaultSessionGuidance(DEFAULT_TEMP_SCRIPT_DIR);
 var DEFAULT_CONFIG = {
   defaultDecision: "ask",
   askOnSubshell: true,
@@ -18895,6 +18952,7 @@ var DEFAULT_CONFIG = {
   notifyOnDeny: true,
   trustedRemotes: [],
   targetPolicies: [],
+  skillRules: DEFAULT_SKILL_RULES,
   layers: [{
     alwaysAllow: [
       // Read-only file operations
@@ -19525,6 +19583,14 @@ function loadConfig(cwd) {
     ...userLayer ? [userLayer] : [],
     defaultLayer
   ];
+  const defaultSkillLayer = config.skillRules.layers[0];
+  const userSkillLayer = userRaw?.skills ? extractSkillLayer(userRaw.skills) : null;
+  const workspaceSkillLayer = workspaceRaw?.skills ? extractSkillLayer(workspaceRaw.skills) : null;
+  config.skillRules.layers = [
+    ...workspaceSkillLayer ? [workspaceSkillLayer] : [],
+    ...userSkillLayer ? [userSkillLayer] : [],
+    defaultSkillLayer
+  ];
   if (userRaw) mergeNonLayerFields(config, userRaw);
   if (workspaceRaw) mergeNonLayerFields(config, workspaceRaw);
   return config;
@@ -19543,19 +19609,19 @@ function tryLoadFile(filePath) {
   }
   return null;
 }
-function extractLayer(raw) {
+function extractGenericLayer(raw, nameKey) {
   const rules = Array.isArray(raw.rules) ? raw.rules : [];
   for (const rule of rules) {
     if (rule && typeof rule === "object") {
       if (rule.default && !isValidDecision(rule.default)) {
-        warn(`[warden] Warning: invalid rule default "${rule.default}" for "${rule.command}", using "ask"
+        warn(`[warden] Warning: invalid rule default "${rule.default}" for "${rule[nameKey]}", using "ask"
 `);
         rule.default = "ask";
       }
       if (Array.isArray(rule.argPatterns)) {
         for (const pattern of rule.argPatterns) {
           if (pattern?.decision && !isValidDecision(pattern.decision)) {
-            warn(`[warden] Warning: invalid pattern decision "${pattern.decision}" for "${rule.command}", using "ask"
+            warn(`[warden] Warning: invalid pattern decision "${pattern.decision}" for "${rule[nameKey]}", using "ask"
 `);
             pattern.decision = "ask";
           }
@@ -19569,6 +19635,12 @@ function extractLayer(raw) {
     rules
   };
 }
+function extractSkillLayer(raw) {
+  return extractGenericLayer(raw, "skill");
+}
+function extractLayer(raw) {
+  return extractGenericLayer(raw, "command");
+}
 function parseTrustedList(raw) {
   return raw.map((entry) => {
     if (typeof entry === "string") return { name: entry };
@@ -19749,6 +19821,29 @@ function mergeNonLayerFields(config, raw) {
   if (typeof raw.notifyOnDeny === "boolean") {
     config.notifyOnDeny = raw.notifyOnDeny;
   }
+  if (typeof raw.sessionGuidance === "string" || raw.sessionGuidance === false) {
+    config.sessionGuidance = raw.sessionGuidance;
+  } else if (raw.sessionGuidance !== void 0) {
+    warn(`[warden] Warning: invalid sessionGuidance (expected string or false), ignoring
+`);
+  }
+  if (typeof raw.tempScriptDir === "string" && raw.tempScriptDir.length > 0) {
+    config.tempScriptDir = raw.tempScriptDir;
+  } else if (raw.tempScriptDir !== void 0) {
+    warn(`[warden] Warning: invalid tempScriptDir (expected non-empty string), ignoring
+`);
+  }
+  if (raw.skills && typeof raw.skills === "object") {
+    const skills = raw.skills;
+    if (typeof skills.defaultDecision === "string") {
+      if (isValidDecision(skills.defaultDecision)) {
+        config.skillRules.defaultDecision = skills.defaultDecision;
+      } else {
+        warn(`[warden] Warning: invalid skills.defaultDecision "${skills.defaultDecision}", ignoring
+`);
+      }
+    }
+  }
   if (raw.trustedContextOverrides && typeof raw.trustedContextOverrides === "object") {
     const overrides = raw.trustedContextOverrides;
     const layer = extractLayer(overrides);

package/dist/codex-export.cjs

@@ -18892,6 +18892,63 @@ function pkgRunnerRule(command) {
     ]
   };
 }
+var DEFAULT_SKILL_RULES = {
+  defaultDecision: "ask",
+  layers: [{
+    alwaysAllow: [
+      // Built-in review/analysis skills
+      "review",
+      "security-review",
+      // Code review plugins
+      "code-review:code-review",
+      "pr-review-toolkit:review-pr",
+      // Slack read-only skills
+      "slack:find-discussions",
+      "slack:summarize-channel",
+      "slack:channel-digest",
+      "slack:standup",
+      "slack:draft-announcement",
+      "slack:slack-messaging",
+      "slack:slack-search",
+      // Search/summarization
+      "promptfolio-summarize",
+      "promptfolio-search-skills",
+      "promptfolio-search-people",
+      // Informational/guidance skills
+      "keybindings-help",
+      "claude-api",
+      "azure-tools:azure-usage",
+      "gcloud-tools:gcloud-usage",
+      "linear-tools:linear-usage",
+      "tavily-tools:tavily-usage",
+      "mongodb-tools:mongodb-usage",
+      "supabase-tools:supabase-usage",
+      "playwright-tools:playwright-testing",
+      // Plugin development guidance (read-only context loading)
+      "plugin-dev:agent-development",
+      "plugin-dev:mcp-integration",
+      "plugin-dev:skill-development",
+      "plugin-dev:plugin-settings",
+      "plugin-dev:command-development",
+      "plugin-dev:plugin-structure",
+      "plugin-dev:hook-development"
+    ],
+    alwaysDeny: [],
+    rules: []
+  }]
+};
+var DEFAULT_TEMP_SCRIPT_DIR = "/tmp";
+function buildDefaultSessionGuidance(tempScriptDir) {
+  return [
+    "Claude Warden is active. It filters Bash commands against safety rules and may ask or deny.",
+    "",
+    "- For JSON in shell pipelines, prefer `jq` (auto-allowed) over `python3 -c` / `node -e`.",
+    `- For multi-line logic, save a temp script under \`${tempScriptDir}/\` (e.g. \`${tempScriptDir}/warden-task.sh\`) or add a \`package.json\` script rather than inline \`bash -c\` / \`node -e\`. Avoid polluting the repo with throwaway scripts.`,
+    "- When Warden denies or asks, read the reason \u2014 it often names the preferred alternative.",
+    "- To permanently allow a specific command, run `/warden:allow <cmd>`. To temporarily bypass filtering, `/warden:yolo`."
+  ].join("\n");
+}
+var DEFAULT_SESSION_GUIDANCE = buildDefaultSessionGuidance(DEFAULT_TEMP_SCRIPT_DIR);
 var DEFAULT_CONFIG = {
   defaultDecision: "ask",
   askOnSubshell: true,
@@ -18899,6 +18956,7 @@ var DEFAULT_CONFIG = {
   notifyOnDeny: true,
   trustedRemotes: [],
   targetPolicies: [],
+  skillRules: DEFAULT_SKILL_RULES,
   layers: [{
     alwaysAllow: [
       // Read-only file operations
@@ -19529,6 +19587,14 @@ function loadConfig(cwd) {
     ...userLayer ? [userLayer] : [],
     defaultLayer
   ];
+  const defaultSkillLayer = config.skillRules.layers[0];
+  const userSkillLayer = userRaw?.skills ? extractSkillLayer(userRaw.skills) : null;
+  const workspaceSkillLayer = workspaceRaw?.skills ? extractSkillLayer(workspaceRaw.skills) : null;
+  config.skillRules.layers = [
+    ...workspaceSkillLayer ? [workspaceSkillLayer] : [],
+    ...userSkillLayer ? [userSkillLayer] : [],
+    defaultSkillLayer
+  ];
   if (userRaw) mergeNonLayerFields(config, userRaw);
   if (workspaceRaw) mergeNonLayerFields(config, workspaceRaw);
   return config;
@@ -19547,19 +19613,19 @@ function tryLoadFile(filePath) {
   }
   return null;
 }
-function extractLayer(raw) {
+function extractGenericLayer(raw, nameKey) {
   const rules = Array.isArray(raw.rules) ? raw.rules : [];
   for (const rule of rules) {
     if (rule && typeof rule === "object") {
       if (rule.default && !isValidDecision(rule.default)) {
-        warn(`[warden] Warning: invalid rule default "${rule.default}" for "${rule.command}", using "ask"
+        warn(`[warden] Warning: invalid rule default "${rule.default}" for "${rule[nameKey]}", using "ask"
 `);
         rule.default = "ask";
       }
       if (Array.isArray(rule.argPatterns)) {
         for (const pattern of rule.argPatterns) {
           if (pattern?.decision && !isValidDecision(pattern.decision)) {
-            warn(`[warden] Warning: invalid pattern decision "${pattern.decision}" for "${rule.command}", using "ask"
+            warn(`[warden] Warning: invalid pattern decision "${pattern.decision}" for "${rule[nameKey]}", using "ask"
 `);
             pattern.decision = "ask";
           }
@@ -19573,6 +19639,12 @@ function extractLayer(raw) {
     rules
   };
 }
+function extractSkillLayer(raw) {
+  return extractGenericLayer(raw, "skill");
+}
+function extractLayer(raw) {
+  return extractGenericLayer(raw, "command");
+}
 function parseTrustedList(raw) {
   return raw.map((entry) => {
     if (typeof entry === "string") return { name: entry };
@@ -19753,6 +19825,29 @@ function mergeNonLayerFields(config, raw) {
   if (typeof raw.notifyOnDeny === "boolean") {
     config.notifyOnDeny = raw.notifyOnDeny;
   }
+  if (typeof raw.sessionGuidance === "string" || raw.sessionGuidance === false) {
+    config.sessionGuidance = raw.sessionGuidance;
+  } else if (raw.sessionGuidance !== void 0) {
+    warn(`[warden] Warning: invalid sessionGuidance (expected string or false), ignoring
+`);
+  }
+  if (typeof raw.tempScriptDir === "string" && raw.tempScriptDir.length > 0) {
+    config.tempScriptDir = raw.tempScriptDir;
+  } else if (raw.tempScriptDir !== void 0) {
+    warn(`[warden] Warning: invalid tempScriptDir (expected non-empty string), ignoring
+`);
+  }
+  if (raw.skills && typeof raw.skills === "object") {
+    const skills = raw.skills;
+    if (typeof skills.defaultDecision === "string") {
+      if (isValidDecision(skills.defaultDecision)) {
+        config.skillRules.defaultDecision = skills.defaultDecision;
+      } else {
+        warn(`[warden] Warning: invalid skills.defaultDecision "${skills.defaultDecision}", ignoring
+`);
+      }
+    }
+  }
   if (raw.trustedContextOverrides && typeof raw.trustedContextOverrides === "object") {
     const overrides = raw.trustedContextOverrides;
     const layer = extractLayer(overrides);

package/dist/copilot.cjs

@@ -18888,6 +18888,63 @@ function pkgRunnerRule(command) {
     ]
   };
 }
+var DEFAULT_SKILL_RULES = {
+  defaultDecision: "ask",
+  layers: [{
+    alwaysAllow: [
+      // Built-in review/analysis skills
+      "review",
+      "security-review",
+      // Code review plugins
+      "code-review:code-review",
+      "pr-review-toolkit:review-pr",
+      // Slack read-only skills
+      "slack:find-discussions",
+      "slack:summarize-channel",
+      "slack:channel-digest",
+      "slack:standup",
+      "slack:draft-announcement",
+      "slack:slack-messaging",
+      "slack:slack-search",
+      // Search/summarization
+      "promptfolio-summarize",
+      "promptfolio-search-skills",
+      "promptfolio-search-people",
+      // Informational/guidance skills
+      "keybindings-help",
+      "claude-api",
+      "azure-tools:azure-usage",
+      "gcloud-tools:gcloud-usage",
+      "linear-tools:linear-usage",
+      "tavily-tools:tavily-usage",
+      "mongodb-tools:mongodb-usage",
+      "supabase-tools:supabase-usage",
+      "playwright-tools:playwright-testing",
+      // Plugin development guidance (read-only context loading)
+      "plugin-dev:agent-development",
+      "plugin-dev:mcp-integration",
+      "plugin-dev:skill-development",
+      "plugin-dev:plugin-settings",
+      "plugin-dev:command-development",
+      "plugin-dev:plugin-structure",
+      "plugin-dev:hook-development"
+    ],
+    alwaysDeny: [],
+    rules: []
+  }]
+};
+var DEFAULT_TEMP_SCRIPT_DIR = "/tmp";
+function buildDefaultSessionGuidance(tempScriptDir) {
+  return [
+    "Claude Warden is active. It filters Bash commands against safety rules and may ask or deny.",
+    "",
+    "- For JSON in shell pipelines, prefer `jq` (auto-allowed) over `python3 -c` / `node -e`.",
+    `- For multi-line logic, save a temp script under \`${tempScriptDir}/\` (e.g. \`${tempScriptDir}/warden-task.sh\`) or add a \`package.json\` script rather than inline \`bash -c\` / \`node -e\`. Avoid polluting the repo with throwaway scripts.`,
+    "- When Warden denies or asks, read the reason \u2014 it often names the preferred alternative.",
+    "- To permanently allow a specific command, run `/warden:allow <cmd>`. To temporarily bypass filtering, `/warden:yolo`."
+  ].join("\n");
+}
+var DEFAULT_SESSION_GUIDANCE = buildDefaultSessionGuidance(DEFAULT_TEMP_SCRIPT_DIR);
 var DEFAULT_CONFIG = {
   defaultDecision: "ask",
   askOnSubshell: true,
@@ -18895,6 +18952,7 @@ var DEFAULT_CONFIG = {
   notifyOnDeny: true,
   trustedRemotes: [],
   targetPolicies: [],
+  skillRules: DEFAULT_SKILL_RULES,
   layers: [{
     alwaysAllow: [
       // Read-only file operations
@@ -19522,6 +19580,14 @@ function loadConfig(cwd) {
     ...userLayer ? [userLayer] : [],
     defaultLayer
   ];
+  const defaultSkillLayer = config.skillRules.layers[0];
+  const userSkillLayer = userRaw?.skills ? extractSkillLayer(userRaw.skills) : null;
+  const workspaceSkillLayer = workspaceRaw?.skills ? extractSkillLayer(workspaceRaw.skills) : null;
+  config.skillRules.layers = [
+    ...workspaceSkillLayer ? [workspaceSkillLayer] : [],
+    ...userSkillLayer ? [userSkillLayer] : [],
+    defaultSkillLayer
+  ];
   if (userRaw) mergeNonLayerFields(config, userRaw);
   if (workspaceRaw) mergeNonLayerFields(config, workspaceRaw);
   return config;
@@ -19540,19 +19606,19 @@ function tryLoadFile(filePath) {
   }
   return null;
 }
-function extractLayer(raw) {
+function extractGenericLayer(raw, nameKey) {
   const rules = Array.isArray(raw.rules) ? raw.rules : [];
   for (const rule of rules) {
     if (rule && typeof rule === "object") {
       if (rule.default && !isValidDecision(rule.default)) {
-        warn(`[warden] Warning: invalid rule default "${rule.default}" for "${rule.command}", using "ask"
+        warn(`[warden] Warning: invalid rule default "${rule.default}" for "${rule[nameKey]}", using "ask"
 `);
         rule.default = "ask";
       }
       if (Array.isArray(rule.argPatterns)) {
         for (const pattern of rule.argPatterns) {
           if (pattern?.decision && !isValidDecision(pattern.decision)) {
-            warn(`[warden] Warning: invalid pattern decision "${pattern.decision}" for "${rule.command}", using "ask"
+            warn(`[warden] Warning: invalid pattern decision "${pattern.decision}" for "${rule[nameKey]}", using "ask"
 `);
             pattern.decision = "ask";
           }
@@ -19566,6 +19632,12 @@ function extractLayer(raw) {
     rules
   };
 }
+function extractSkillLayer(raw) {
+  return extractGenericLayer(raw, "skill");
+}
+function extractLayer(raw) {
+  return extractGenericLayer(raw, "command");
+}
 function parseTrustedList(raw) {
   return raw.map((entry) => {
     if (typeof entry === "string") return { name: entry };
@@ -19746,6 +19818,29 @@ function mergeNonLayerFields(config, raw) {
   if (typeof raw.notifyOnDeny === "boolean") {
     config.notifyOnDeny = raw.notifyOnDeny;
   }
+  if (typeof raw.sessionGuidance === "string" || raw.sessionGuidance === false) {
+    config.sessionGuidance = raw.sessionGuidance;
+  } else if (raw.sessionGuidance !== void 0) {
+    warn(`[warden] Warning: invalid sessionGuidance (expected string or false), ignoring
+`);
+  }
+  if (typeof raw.tempScriptDir === "string" && raw.tempScriptDir.length > 0) {
+    config.tempScriptDir = raw.tempScriptDir;
+  } else if (raw.tempScriptDir !== void 0) {
+    warn(`[warden] Warning: invalid tempScriptDir (expected non-empty string), ignoring
+`);
+  }
+  if (raw.skills && typeof raw.skills === "object") {
+    const skills = raw.skills;
+    if (typeof skills.defaultDecision === "string") {
+      if (isValidDecision(skills.defaultDecision)) {
+        config.skillRules.defaultDecision = skills.defaultDecision;
+      } else {
+        warn(`[warden] Warning: invalid skills.defaultDecision "${skills.defaultDecision}", ignoring
+`);
+      }
+    }
+  }
   if (raw.trustedContextOverrides && typeof raw.trustedContextOverrides === "object") {
     const overrides = raw.trustedContextOverrides;
     const layer = extractLayer(overrides);

package/dist/index.cjs

@@ -18888,6 +18888,63 @@ function pkgRunnerRule(command) {
     ]
   };
 }
+var DEFAULT_SKILL_RULES = {
+  defaultDecision: "ask",
+  layers: [{
+    alwaysAllow: [
+      // Built-in review/analysis skills
+      "review",
+      "security-review",
+      // Code review plugins
+      "code-review:code-review",
+      "pr-review-toolkit:review-pr",
+      // Slack read-only skills
+      "slack:find-discussions",
+      "slack:summarize-channel",
+      "slack:channel-digest",
+      "slack:standup",
+      "slack:draft-announcement",
+      "slack:slack-messaging",
+      "slack:slack-search",
+      // Search/summarization
+      "promptfolio-summarize",
+      "promptfolio-search-skills",
+      "promptfolio-search-people",
+      // Informational/guidance skills
+      "keybindings-help",
+      "claude-api",
+      "azure-tools:azure-usage",
+      "gcloud-tools:gcloud-usage",
+      "linear-tools:linear-usage",
+      "tavily-tools:tavily-usage",
+      "mongodb-tools:mongodb-usage",
+      "supabase-tools:supabase-usage",
+      "playwright-tools:playwright-testing",
+      // Plugin development guidance (read-only context loading)
+      "plugin-dev:agent-development",
+      "plugin-dev:mcp-integration",
+      "plugin-dev:skill-development",
+      "plugin-dev:plugin-settings",
+      "plugin-dev:command-development",
+      "plugin-dev:plugin-structure",
+      "plugin-dev:hook-development"
+    ],
+    alwaysDeny: [],
+    rules: []
+  }]
+};
+var DEFAULT_TEMP_SCRIPT_DIR = "/tmp";
+function buildDefaultSessionGuidance(tempScriptDir) {
+  return [
+    "Claude Warden is active. It filters Bash commands against safety rules and may ask or deny.",
+    "",
+    "- For JSON in shell pipelines, prefer `jq` (auto-allowed) over `python3 -c` / `node -e`.",
+    `- For multi-line logic, save a temp script under \`${tempScriptDir}/\` (e.g. \`${tempScriptDir}/warden-task.sh\`) or add a \`package.json\` script rather than inline \`bash -c\` / \`node -e\`. Avoid polluting the repo with throwaway scripts.`,
+    "- When Warden denies or asks, read the reason \u2014 it often names the preferred alternative.",
+    "- To permanently allow a specific command, run `/warden:allow <cmd>`. To temporarily bypass filtering, `/warden:yolo`."
+  ].join("\n");
+}
+var DEFAULT_SESSION_GUIDANCE = buildDefaultSessionGuidance(DEFAULT_TEMP_SCRIPT_DIR);
 var DEFAULT_CONFIG = {
   defaultDecision: "ask",
   askOnSubshell: true,
@@ -18895,6 +18952,7 @@ var DEFAULT_CONFIG = {
   notifyOnDeny: true,
   trustedRemotes: [],
   targetPolicies: [],
+  skillRules: DEFAULT_SKILL_RULES,
   layers: [{
     alwaysAllow: [
       // Read-only file operations
@@ -19522,6 +19580,14 @@ function loadConfig(cwd) {
     ...userLayer ? [userLayer] : [],
     defaultLayer
   ];
+  const defaultSkillLayer = config.skillRules.layers[0];
+  const userSkillLayer = userRaw?.skills ? extractSkillLayer(userRaw.skills) : null;
+  const workspaceSkillLayer = workspaceRaw?.skills ? extractSkillLayer(workspaceRaw.skills) : null;
+  config.skillRules.layers = [
+    ...workspaceSkillLayer ? [workspaceSkillLayer] : [],
+    ...userSkillLayer ? [userSkillLayer] : [],
+    defaultSkillLayer
+  ];
   if (userRaw) mergeNonLayerFields(config, userRaw);
   if (workspaceRaw) mergeNonLayerFields(config, workspaceRaw);
   return config;
@@ -19540,19 +19606,19 @@ function tryLoadFile(filePath) {
   }
   return null;
 }
-function extractLayer(raw) {
+function extractGenericLayer(raw, nameKey) {
   const rules = Array.isArray(raw.rules) ? raw.rules : [];
   for (const rule of rules) {
     if (rule && typeof rule === "object") {
       if (rule.default && !isValidDecision(rule.default)) {
-        warn(`[warden] Warning: invalid rule default "${rule.default}" for "${rule.command}", using "ask"
+        warn(`[warden] Warning: invalid rule default "${rule.default}" for "${rule[nameKey]}", using "ask"
 `);
         rule.default = "ask";
       }
       if (Array.isArray(rule.argPatterns)) {
         for (const pattern of rule.argPatterns) {
           if (pattern?.decision && !isValidDecision(pattern.decision)) {
-            warn(`[warden] Warning: invalid pattern decision "${pattern.decision}" for "${rule.command}", using "ask"
+            warn(`[warden] Warning: invalid pattern decision "${pattern.decision}" for "${rule[nameKey]}", using "ask"
 `);
             pattern.decision = "ask";
           }
@@ -19566,6 +19632,12 @@ function extractLayer(raw) {
     rules
   };
 }
+function extractSkillLayer(raw) {
+  return extractGenericLayer(raw, "skill");
+}
+function extractLayer(raw) {
+  return extractGenericLayer(raw, "command");
+}
 function parseTrustedList(raw) {
   return raw.map((entry) => {
     if (typeof entry === "string") return { name: entry };
@@ -19746,6 +19818,29 @@ function mergeNonLayerFields(config, raw) {
   if (typeof raw.notifyOnDeny === "boolean") {
     config.notifyOnDeny = raw.notifyOnDeny;
   }
+  if (typeof raw.sessionGuidance === "string" || raw.sessionGuidance === false) {
+    config.sessionGuidance = raw.sessionGuidance;
+  } else if (raw.sessionGuidance !== void 0) {
+    warn(`[warden] Warning: invalid sessionGuidance (expected string or false), ignoring
+`);
+  }
+  if (typeof raw.tempScriptDir === "string" && raw.tempScriptDir.length > 0) {
+    config.tempScriptDir = raw.tempScriptDir;
+  } else if (raw.tempScriptDir !== void 0) {
+    warn(`[warden] Warning: invalid tempScriptDir (expected non-empty string), ignoring
+`);
+  }
+  if (raw.skills && typeof raw.skills === "object") {
+    const skills = raw.skills;
+    if (typeof skills.defaultDecision === "string") {
+      if (isValidDecision(skills.defaultDecision)) {
+        config.skillRules.defaultDecision = skills.defaultDecision;
+      } else {
+        warn(`[warden] Warning: invalid skills.defaultDecision "${skills.defaultDecision}", ignoring
+`);
+      }
+    }
+  }
   if (raw.trustedContextOverrides && typeof raw.trustedContextOverrides === "object") {
     const overrides = raw.trustedContextOverrides;
     const layer = extractLayer(overrides);
@@ -20599,6 +20694,110 @@ function wardenEvalWithConfig(command, config, cwd) {
   return evaluate(parsed, config, cwd);
 }
 
+// src/skill-evaluator.ts
+function skillMatchesName(skillName, pattern) {
+  return globToRegex(pattern).test(skillName);
+}
+function evaluateSkill(skillName, args2, config) {
+  const detail = evaluateSkillDetail(skillName, args2, config);
+  return {
+    decision: detail.decision,
+    reason: detail.reason,
+    details: [detail]
+  };
+}
+function evaluateSkillDetail(skillName, args2, config) {
+  const { skillRules } = config;
+  for (const layer of skillRules.layers) {
+    if (layer.alwaysDeny.some((p) => skillMatchesName(skillName, p))) {
+      return {
+        command: skillName,
+        args: args2 ? [args2] : [],
+        decision: "deny",
+        reason: `Skill "${skillName}" is blocked`,
+        matchedRule: "alwaysDeny"
+      };
+    }
+    if (layer.alwaysAllow.some((p) => skillMatchesName(skillName, p))) {
+      return {
+        command: skillName,
+        args: args2 ? [args2] : [],
+        decision: "allow",
+        reason: `Skill "${skillName}" is safe`,
+        matchedRule: "alwaysAllow"
+      };
+    }
+  }
+  const mergedRule = collectMergedSkillRule(skillName, skillRules.layers.map((l) => l.rules));
+  if (mergedRule) {
+    return evaluateSkillRule(skillName, args2, mergedRule);
+  }
+  return {
+    command: skillName,
+    args: args2 ? [args2] : [],
+    decision: skillRules.defaultDecision,
+    reason: `No rule for skill "${skillName}"`,
+    matchedRule: "default"
+  };
+}
+function collectMergedSkillRule(skillName, layerRules) {
+  const matching = [];
+  for (const rules of layerRules) {
+    const rule = rules.find((r) => skillMatchesName(skillName, r.skill));
+    if (rule) {
+      matching.push(rule);
+      if (rule.override) break;
+    }
+  }
+  if (matching.length === 0) return null;
+  if (matching.length === 1) return matching[0];
+  const mergedPatterns = [];
+  for (const rule of matching) {
+    if (rule.argPatterns) {
+      mergedPatterns.push(...rule.argPatterns);
+    }
+  }
+  return {
+    skill: matching[0].skill,
+    default: matching[0].default,
+    argPatterns: mergedPatterns
+  };
+}
+function evaluateSkillRule(skillName, args2, rule) {
+  const argsArray = args2 ? [args2] : [];
+  const argsJoined = args2 || "";
+  for (const pattern of rule.argPatterns || []) {
+    const m = pattern.match;
+    let matched = true;
+    if (m.noArgs !== void 0) {
+      matched = matched && m.noArgs === !args2;
+    }
+    if (m.argsMatch && matched) {
+      matched = m.argsMatch.some((re) => safeRegexTest(re, argsJoined));
+    }
+    if (m.anyArgMatches && matched) {
+      matched = argsArray.some((arg) => m.anyArgMatches.some((re) => safeRegexTest(re, arg)));
+    }
+    if (m.not) matched = !matched;
+    if (matched) {
+      return {
+        command: skillName,
+        args: argsArray,
+        decision: pattern.decision,
+        reason: pattern.reason || pattern.description || `Matched pattern for skill "${skillName}"`,
+        matchedRule: `${skillName}:argPattern`
+      };
+    }
+  }
+  return {
+    command: skillName,
+    args: argsArray,
+    decision: rule.default,
+    reason: `Default for skill "${skillName}"`,
+    matchedRule: `${skillName}:default`
+  };
+}
+
 // src/suggest.ts
 function generateAllowSnippet(details) {
   const lines = [];
@@ -20799,20 +20998,47 @@ function deactivateYolo(sessionId) {
 
 // src/index.ts
 var MAX_STDIN_SIZE = 1024 * 1024;
+function emitDecision(decision, reason, stderrMessage) {
+  const output = {
+    hookSpecificOutput: {
+      hookEventName: "PreToolUse",
+      permissionDecision: decision,
+      permissionDecisionReason: reason
+    }
+  };
+  process.stdout.write(JSON.stringify(output));
+  if (decision === "deny") {
+    process.stderr.write(`${stderrMessage ?? reason}
+`);
+    process.exit(2);
+  }
+  process.exit(0);
+}
+function handleSessionStart(config) {
+  if (config.sessionGuidance === false) process.exit(0);
+  const text = config.sessionGuidance ?? buildDefaultSessionGuidance(config.tempScriptDir ?? DEFAULT_TEMP_SCRIPT_DIR);
+  const output = {
+    hookSpecificOutput: {
+      hookEventName: "SessionStart",
+      additionalContext: text
+    }
+  };
+  process.stdout.write(JSON.stringify(output));
+  process.exit(0);
+}
+function handleYoloMode(sessionId, result) {
+  const yoloState = getYoloState(sessionId);
+  if (!yoloState) return;
+  if (result.decision === "deny" && !yoloState.bypassDeny) return;
+  const expiryInfo = yoloState.expiresAt ? `expires ${new Date(yoloState.expiresAt).toLocaleTimeString()}` : "full session";
+  emitDecision("allow", `[warden] YOLO mode active (${expiryInfo})`);
+}
 async function main() {
   let raw = "";
   for await (const chunk of process.stdin) {
     raw += chunk;
     if (raw.length > MAX_STDIN_SIZE) {
-      const output2 = {
-        hookSpecificOutput: {
-          hookEventName: "PreToolUse",
-          permissionDecision: "ask",
-          permissionDecisionReason: "[warden] Input exceeds size limit"
-        }
-      };
-      process.stdout.write(JSON.stringify(output2));
-      process.exit(0);
+      emitDecision("ask", "[warden] Input exceeds size limit");
     }
   }
   let input;
@@ -20821,7 +21047,11 @@ async function main() {
   } catch {
     process.exit(0);
   }
-  if (input.tool_name !== "Bash") {
+  if (input.hook_event_name === "SessionStart") {
+    const config2 = loadConfig(input.cwd);
+    handleSessionStart(config2);
+  }
+  if (input.tool_name !== "Bash" && input.tool_name !== "Skill") {
     process.exit(0);
   }
   if (input.permission_mode === "bypassPermissions") {
@@ -20830,100 +21060,63 @@ async function main() {
   if (process.env.WARDEN_YOLO === "true" || process.env.WARDEN_YOLO === "1") {
     process.exit(0);
   }
+  if (input.tool_name === "Skill") {
+    const skillName = input.tool_input?.skill;
+    if (!skillName || typeof skillName !== "string") process.exit(0);
+    const args2 = typeof input.tool_input?.args === "string" ? input.tool_input.args : void 0;
+    const config2 = loadConfig(input.cwd);
+    const result2 = evaluateSkill(skillName, args2, config2);
+    handleYoloMode(input.session_id, result2);
+    emitResult(result2, `skill:${skillName}`, config2);
+  }
   const command = input.tool_input?.command;
   if (!command || typeof command !== "string") {
     process.exit(0);
   }
   const yoloCmd = parseYoloCommand(command);
   if (yoloCmd) {
-    let msg2;
+    let msg;
     if (yoloCmd.action === "activate") {
       const state = activateYolo(input.session_id, yoloCmd.durationMinutes);
       const expiryInfo = state.expiresAt ? `expires at ${new Date(state.expiresAt).toLocaleTimeString()}` : "full session, no expiry";
-      msg2 = `[warden] YOLO mode activated (${expiryInfo}). Always-deny commands are still blocked. Use \`echo __WARDEN_YOLO_DEACTIVATE__\` to turn off.`;
+      msg = `[warden] YOLO mode activated (${expiryInfo}). Always-deny commands are still blocked. Use \`echo __WARDEN_YOLO_DEACTIVATE__\` to turn off.`;
     } else if (yoloCmd.action === "deactivate") {
       deactivateYolo(input.session_id);
-      msg2 = "[warden] YOLO mode deactivated. Normal rule evaluation resumed.";
+      msg = "[warden] YOLO mode deactivated. Normal rule evaluation resumed.";
     } else {
       const state = getYoloState(input.session_id);
       if (state) {
         const expiryInfo = state.expiresAt ? `expires at ${new Date(state.expiresAt).toLocaleTimeString()}` : "full session";
-        msg2 = `[warden] YOLO mode is active (${expiryInfo})`;
+        msg = `[warden] YOLO mode is active (${expiryInfo})`;
       } else {
-        msg2 = "[warden] YOLO mode is not active";
+        msg = "[warden] YOLO mode is not active";
       }
     }
-    const output2 = {
-      hookSpecificOutput: {
-        hookEventName: "PreToolUse",
-        permissionDecision: "allow",
-        permissionDecisionReason: msg2
-      }
-    };
-    process.stdout.write(JSON.stringify(output2));
-    process.exit(0);
+    emitDecision("allow", msg);
   }
   const config = loadConfig(input.cwd);
   const result = wardenEvalWithConfig(command, config, input.cwd);
-  const yoloState = getYoloState(input.session_id);
-  if (yoloState) {
-    if (result.decision === "deny" && !yoloState.bypassDeny) {
-    } else {
-      const expiryInfo = yoloState.expiresAt ? `expires ${new Date(yoloState.expiresAt).toLocaleTimeString()}` : "full session";
-      const output2 = {
-        hookSpecificOutput: {
-          hookEventName: "PreToolUse",
-          permissionDecision: "allow",
-          permissionDecisionReason: `[warden] YOLO mode active (${expiryInfo})`
-        }
-      };
-      process.stdout.write(JSON.stringify(output2));
-      process.exit(0);
-    }
-  }
+  handleYoloMode(input.session_id, result);
+  emitResult(result, command, config);
+}
+function emitResult(result, label, config) {
   if (result.decision === "allow") {
-    const output2 = {
-      hookSpecificOutput: {
-        hookEventName: "PreToolUse",
-        permissionDecision: "allow",
-        permissionDecisionReason: `[warden] ${result.reason}`
-      }
-    };
-    process.stdout.write(JSON.stringify(output2));
-    process.exit(0);
+    emitDecision("allow", `[warden] ${result.reason}`);
   }
   if (result.decision === "deny") {
     if (config.notifyOnDeny) {
-      const truncated = command.length > 80 ? command.slice(0, 77) + "..." : command;
+      const truncated = label.length > 80 ? label.slice(0, 77) + "..." : label;
       sendNotification("Claude Warden", `Blocked: ${truncated}`, config);
     }
-    const msg2 = formatSystemMessage("deny", command, result.details);
-    const output2 = {
-      hookSpecificOutput: {
-        hookEventName: "PreToolUse",
-        permissionDecision: "deny",
-        permissionDecisionReason: msg2
-      }
-    };
-    process.stdout.write(JSON.stringify(output2));
-    process.stderr.write(`[warden] Blocked: ${result.reason}
-`);
-    process.exit(2);
+    const msg2 = formatSystemMessage("deny", label, result.details);
+    emitDecision("deny", msg2, `[warden] Blocked: ${result.reason}`);
   }
   if (config.notifyOnAsk) {
-    const truncated = command.length > 80 ? command.slice(0, 77) + "..." : command;
+    const truncated = label.length > 80 ? label.slice(0, 77) + "..." : label;
     sendNotification("Claude Warden", `Permission needed: ${truncated}`, config);
   }
-  const msg = formatSystemMessage("ask", command, result.details);
-  const output = {
-    hookSpecificOutput: {
-      hookEventName: "PreToolUse",
-      permissionDecision: "ask",
-      permissionDecisionReason: msg
-    }
-  };
-  process.stdout.write(JSON.stringify(output));
-  process.exit(0);
+  const msg = formatSystemMessage("ask", label, result.details);
+  emitDecision("ask", msg);
 }
 main().catch(() => process.exit(0));
 /*! Bundled license information:

package/hooks/hooks.json

@@ -1,5 +1,5 @@
 {
-  "description": "Smart command safety filter — evaluates Bash commands against configurable safety rules",
+  "description": "Smart command safety filter — evaluates Bash commands and Skill invocations against configurable safety rules",
   "hooks": {
     "PreToolUse": [
       {
@@ -11,6 +11,27 @@
             "timeout": 5
           }
         ]
+      },
+      {
+        "matcher": "Skill",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "${CLAUDE_PLUGIN_ROOT}/dist/index.cjs",
+            "timeout": 5
+          }
+        ]
+      }
+    ],
+    "SessionStart": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "${CLAUDE_PLUGIN_ROOT}/dist/index.cjs",
+            "timeout": 5
+          }
+        ]
       }
     ]
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-warden",
-  "version": "2.6.0",
+  "version": "2.8.0",
   "description": "Smart command safety filter for Claude Code — auto-approves safe commands, blocks dangerous ones",
   "type": "module",
   "main": "dist/index.cjs",