claude-warden 2.7.0 → 2.8.1

package/.claude-plugin/marketplace.json

@@ -8,7 +8,7 @@
     {
       "name": "warden",
       "description": "Auto-approves safe commands, blocks dangerous ones, prompts for the rest",
-      "version": "2.7.0",
+      "version": "2.8.1",
       "author": {
         "name": "banyudu"
       },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "warden",
-  "version": "2.7.0",
+  "version": "2.8.1",
   "description": "Smart command safety filter for Claude Code — parses shell pipelines and evaluates per-command safety rules to auto-approve safe commands and block dangerous ones",
   "author": {
     "name": "banyudu"

package/config/warden.default.yaml

@@ -19,6 +19,26 @@ askOnSubshell: true
 notifyOnAsk: true
 notifyOnDeny: true
 
+# Guidance injected into every Claude Code session via the SessionStart hook.
+# Claude sees this as a system message, so it can shape tool choice *before*
+# warden needs to ask or deny. Keep it short — it competes for context.
+#
+# - Omit the key to use the built-in default (prefer jq, save temp scripts to
+#   tempScriptDir below, read deny reasons, mention /warden:allow and /warden:yolo).
+# - Set to a string to override with your own guidance.
+# - Set to `false` to disable injection entirely.
+#
+# sessionGuidance: |
+#   Warden is active. Prefer allow-listed tools (e.g. jq for JSON). For
+#   multi-line logic, save a temp script under /tmp/ instead of using
+#   inline `bash -c` / `node -e`.
+
+# Directory the built-in guidance tells Claude to save throwaway multi-line
+# scripts to. Defaults to `/tmp` so scripts don't pollute the repo. Point at
+# another location (e.g. `.warden-scratch`) if you want them tracked per-project.
+# Only used when `sessionGuidance` is unset.
+# tempScriptDir: /tmp
+
 # Additional commands to always allow (checked after alwaysDeny within this scope)
 # alwaysAllow:
 #   - terraform

package/dist/cli.cjs

@@ -18860,6 +18860,91 @@ function registryOpsPattern() {
     reason: "Registry modification"
   };
 }
+var INLINE_LANG_CONFIG = {
+  Python: {
+    ext: "py",
+    patterns: [
+      "os\\.system",
+      "subprocess",
+      "commands\\.",
+      "pty\\.",
+      `__import__\\s*\\(\\s*['"](?:os|subprocess|socket)`,
+      "\\bexec\\s*\\(",
+      "\\beval\\s*\\(",
+      `open\\s*\\([^)]*['"][wax+]`,
+      "\\bsocket\\b",
+      "urllib",
+      "requests\\.",
+      "http\\.client"
+    ]
+  },
+  JavaScript: {
+    ext: "js",
+    patterns: [
+      "child[_]process",
+      `require\\s*\\(\\s*['"]child[_]process`,
+      "\\.(?:writeFile|appendFile|createWriteStream|writeFileSync|appendFileSync)\\s*\\(",
+      "http\\.request",
+      "https\\.request",
+      "net\\.(?:connect|createConnection)",
+      "fetch\\s*\\("
+    ]
+  },
+  Ruby: {
+    ext: "rb",
+    patterns: [
+      "`",
+      "%x[\\(\\{\\[]",
+      "\\bsystem\\s*\\(",
+      "\\bexec\\s*\\(",
+      "IO\\.popen",
+      "Kernel\\.",
+      "\\bspawn\\s*\\(",
+      `File\\.open\\s*\\([^)]*['"][wax+]`,
+      "File\\.write",
+      "open-uri",
+      "Net::HTTP"
+    ]
+  },
+  Perl: {
+    ext: "pl",
+    patterns: [
+      "`",
+      "qx[\\(\\{\\[/]",
+      "\\bsystem\\s*\\(",
+      "\\bexec\\s*\\(",
+      `open\\s*\\([^)]*['"][>|+]`
+    ]
+  },
+  PHP: {
+    ext: "php",
+    patterns: [
+      "`",
+      "shell_exec",
+      "\\b(?:system|passthru|popen|proc_open)\\s*\\(",
+      "\\bexec\\s*\\(",
+      "file_put_contents",
+      "fwrite",
+      `fopen\\s*\\([^)]*['"][wax+]`,
+      "curl_exec",
+      "fsockopen"
+    ]
+  }
+};
+function inlineExecPatterns(lang, flags) {
+  const { ext, patterns } = INLINE_LANG_CONFIG[lang];
+  const reason = `Inline ${lang} is hard to audit. For JSON, prefer \`jq\`. For reuse, save to scripts/*.${ext} and run it.`;
+  const flagAlt = flags.map((f) => f.replace(/^\^/, "").replace(/\$$/, "")).join("|");
+  const compound = `(?:^|\\s)(?:${flagAlt})[\\s=][^\\n]{0,16000}?(?:${patterns.join("|")})`;
+  return [
+    { match: { argsMatch: [compound] }, decision: "ask", reason },
+    {
+      match: { anyArgMatches: flags },
+      decision: "allow",
+      description: `Plausibly read-only inline ${lang} script`
+    }
+  ];
+}
 function pkgManagerRule(command, extraSafeCmds = []) {
   const safeCmds = [...SAFE_PKG_MANAGER_CMDS, ...extraSafeCmds];
   return {
@@ -18933,6 +19018,18 @@ var DEFAULT_SKILL_RULES = {
     rules: []
   }]
 };
+var DEFAULT_TEMP_SCRIPT_DIR = "/tmp";
+function buildDefaultSessionGuidance(tempScriptDir) {
+  return [
+    "Claude Warden is active. It filters Bash commands against safety rules and may ask or deny.",
+    "",
+    "- For JSON in shell pipelines, prefer `jq` (auto-allowed) over `python3 -c` / `node -e`.",
+    `- For multi-line logic, save a temp script under \`${tempScriptDir}/\` (e.g. \`${tempScriptDir}/warden-task.sh\`) or add a \`package.json\` script rather than inline \`bash -c\` / \`node -e\`. Avoid polluting the repo with throwaway scripts.`,
+    "- When Warden denies or asks, read the reason \u2014 it often names the preferred alternative.",
+    "- To permanently allow a specific command, run `/warden:allow <cmd>`. To temporarily bypass filtering, `/warden:yolo`."
+  ].join("\n");
+}
+var DEFAULT_SESSION_GUIDANCE = buildDefaultSessionGuidance(DEFAULT_TEMP_SCRIPT_DIR);
 var DEFAULT_CONFIG = {
   defaultDecision: "ask",
   askOnSubshell: true,
@@ -19231,7 +19328,7 @@ var DEFAULT_CONFIG = {
         command: "node",
         default: "ask",
         argPatterns: [
-          { match: { anyArgMatches: ["^-e$", "^--eval", "^-p$", "^--print"] }, decision: "ask", reason: "Evaluating inline code" },
+          ...inlineExecPatterns("JavaScript", ["^-e$", "^--eval", "^-p$", "^--print"]),
           { match: { anyArgMatches: ["^--(version|help)$", "^-[vh]$"] }, decision: "allow", description: "Version/help flags" },
           { match: { noArgs: true }, decision: "ask", reason: "Interactive REPL" }
         ]
@@ -19260,6 +19357,7 @@ var DEFAULT_CONFIG = {
         command: cmd,
         default: "ask",
         argPatterns: [
+          ...inlineExecPatterns("Python", ["^-c$"]),
           { match: { anyArgMatches: ["^--(version|help)$", "^-V$"] }, decision: "allow" }
         ]
       })),
@@ -19418,14 +19516,9 @@ var DEFAULT_CONFIG = {
         argPatterns: [VERSION_HELP_FLAGS]
       })),
       // --- Scripting languages ---
-      ...["ruby", "perl", "php"].map((cmd) => ({
-        command: cmd,
-        default: "ask",
-        argPatterns: [
-          { match: { anyArgMatches: ["^-e$", "^--eval"] }, decision: "ask", reason: "Inline code execution" },
-          VERSION_HELP_FLAGS
-        ]
-      })),
+      { command: "ruby", default: "ask", argPatterns: [...inlineExecPatterns("Ruby", ["^-e$", "^--eval"]), VERSION_HELP_FLAGS] },
+      { command: "perl", default: "ask", argPatterns: [...inlineExecPatterns("Perl", ["^-e$", "^-E$"]), VERSION_HELP_FLAGS] },
+      { command: "php", default: "ask", argPatterns: [...inlineExecPatterns("PHP", ["^-r$"]), VERSION_HELP_FLAGS] },
       // --- Java ecosystem ---
       { command: "java", default: "ask", argPatterns: [VERSION_HELP_FLAGS] },
       { command: "javac", default: "allow" },
@@ -19809,6 +19902,18 @@ function mergeNonLayerFields(config, raw) {
   if (typeof raw.notifyOnDeny === "boolean") {
     config.notifyOnDeny = raw.notifyOnDeny;
   }
+  if (typeof raw.sessionGuidance === "string" || raw.sessionGuidance === false) {
+    config.sessionGuidance = raw.sessionGuidance;
+  } else if (raw.sessionGuidance !== void 0) {
+    warn(`[warden] Warning: invalid sessionGuidance (expected string or false), ignoring
+`);
+  }
+  if (typeof raw.tempScriptDir === "string" && raw.tempScriptDir.length > 0) {
+    config.tempScriptDir = raw.tempScriptDir;
+  } else if (raw.tempScriptDir !== void 0) {
+    warn(`[warden] Warning: invalid tempScriptDir (expected non-empty string), ignoring
+`);
+  }
   if (raw.skills && typeof raw.skills === "object") {
     const skills = raw.skills;
     if (typeof skills.defaultDecision === "string") {

package/dist/codex-export.cjs

@@ -18864,6 +18864,91 @@ function registryOpsPattern() {
     reason: "Registry modification"
   };
 }
+var INLINE_LANG_CONFIG = {
+  Python: {
+    ext: "py",
+    patterns: [
+      "os\\.system",
+      "subprocess",
+      "commands\\.",
+      "pty\\.",
+      `__import__\\s*\\(\\s*['"](?:os|subprocess|socket)`,
+      "\\bexec\\s*\\(",
+      "\\beval\\s*\\(",
+      `open\\s*\\([^)]*['"][wax+]`,
+      "\\bsocket\\b",
+      "urllib",
+      "requests\\.",
+      "http\\.client"
+    ]
+  },
+  JavaScript: {
+    ext: "js",
+    patterns: [
+      "child[_]process",
+      `require\\s*\\(\\s*['"]child[_]process`,
+      "\\.(?:writeFile|appendFile|createWriteStream|writeFileSync|appendFileSync)\\s*\\(",
+      "http\\.request",
+      "https\\.request",
+      "net\\.(?:connect|createConnection)",
+      "fetch\\s*\\("
+    ]
+  },
+  Ruby: {
+    ext: "rb",
+    patterns: [
+      "`",
+      "%x[\\(\\{\\[]",
+      "\\bsystem\\s*\\(",
+      "\\bexec\\s*\\(",
+      "IO\\.popen",
+      "Kernel\\.",
+      "\\bspawn\\s*\\(",
+      `File\\.open\\s*\\([^)]*['"][wax+]`,
+      "File\\.write",
+      "open-uri",
+      "Net::HTTP"
+    ]
+  },
+  Perl: {
+    ext: "pl",
+    patterns: [
+      "`",
+      "qx[\\(\\{\\[/]",
+      "\\bsystem\\s*\\(",
+      "\\bexec\\s*\\(",
+      `open\\s*\\([^)]*['"][>|+]`
+    ]
+  },
+  PHP: {
+    ext: "php",
+    patterns: [
+      "`",
+      "shell_exec",
+      "\\b(?:system|passthru|popen|proc_open)\\s*\\(",
+      "\\bexec\\s*\\(",
+      "file_put_contents",
+      "fwrite",
+      `fopen\\s*\\([^)]*['"][wax+]`,
+      "curl_exec",
+      "fsockopen"
+    ]
+  }
+};
+function inlineExecPatterns(lang, flags) {
+  const { ext, patterns } = INLINE_LANG_CONFIG[lang];
+  const reason = `Inline ${lang} is hard to audit. For JSON, prefer \`jq\`. For reuse, save to scripts/*.${ext} and run it.`;
+  const flagAlt = flags.map((f) => f.replace(/^\^/, "").replace(/\$$/, "")).join("|");
+  const compound = `(?:^|\\s)(?:${flagAlt})[\\s=][^\\n]{0,16000}?(?:${patterns.join("|")})`;
+  return [
+    { match: { argsMatch: [compound] }, decision: "ask", reason },
+    {
+      match: { anyArgMatches: flags },
+      decision: "allow",
+      description: `Plausibly read-only inline ${lang} script`
+    }
+  ];
+}
 function pkgManagerRule(command, extraSafeCmds = []) {
   const safeCmds = [...SAFE_PKG_MANAGER_CMDS, ...extraSafeCmds];
   return {
@@ -18937,6 +19022,18 @@ var DEFAULT_SKILL_RULES = {
     rules: []
   }]
 };
+var DEFAULT_TEMP_SCRIPT_DIR = "/tmp";
+function buildDefaultSessionGuidance(tempScriptDir) {
+  return [
+    "Claude Warden is active. It filters Bash commands against safety rules and may ask or deny.",
+    "",
+    "- For JSON in shell pipelines, prefer `jq` (auto-allowed) over `python3 -c` / `node -e`.",
+    `- For multi-line logic, save a temp script under \`${tempScriptDir}/\` (e.g. \`${tempScriptDir}/warden-task.sh\`) or add a \`package.json\` script rather than inline \`bash -c\` / \`node -e\`. Avoid polluting the repo with throwaway scripts.`,
+    "- When Warden denies or asks, read the reason \u2014 it often names the preferred alternative.",
+    "- To permanently allow a specific command, run `/warden:allow <cmd>`. To temporarily bypass filtering, `/warden:yolo`."
+  ].join("\n");
+}
+var DEFAULT_SESSION_GUIDANCE = buildDefaultSessionGuidance(DEFAULT_TEMP_SCRIPT_DIR);
 var DEFAULT_CONFIG = {
   defaultDecision: "ask",
   askOnSubshell: true,
@@ -19235,7 +19332,7 @@ var DEFAULT_CONFIG = {
         command: "node",
         default: "ask",
         argPatterns: [
-          { match: { anyArgMatches: ["^-e$", "^--eval", "^-p$", "^--print"] }, decision: "ask", reason: "Evaluating inline code" },
+          ...inlineExecPatterns("JavaScript", ["^-e$", "^--eval", "^-p$", "^--print"]),
           { match: { anyArgMatches: ["^--(version|help)$", "^-[vh]$"] }, decision: "allow", description: "Version/help flags" },
           { match: { noArgs: true }, decision: "ask", reason: "Interactive REPL" }
         ]
@@ -19264,6 +19361,7 @@ var DEFAULT_CONFIG = {
         command: cmd,
         default: "ask",
         argPatterns: [
+          ...inlineExecPatterns("Python", ["^-c$"]),
           { match: { anyArgMatches: ["^--(version|help)$", "^-V$"] }, decision: "allow" }
         ]
       })),
@@ -19422,14 +19520,9 @@ var DEFAULT_CONFIG = {
         argPatterns: [VERSION_HELP_FLAGS]
       })),
       // --- Scripting languages ---
-      ...["ruby", "perl", "php"].map((cmd) => ({
-        command: cmd,
-        default: "ask",
-        argPatterns: [
-          { match: { anyArgMatches: ["^-e$", "^--eval"] }, decision: "ask", reason: "Inline code execution" },
-          VERSION_HELP_FLAGS
-        ]
-      })),
+      { command: "ruby", default: "ask", argPatterns: [...inlineExecPatterns("Ruby", ["^-e$", "^--eval"]), VERSION_HELP_FLAGS] },
+      { command: "perl", default: "ask", argPatterns: [...inlineExecPatterns("Perl", ["^-e$", "^-E$"]), VERSION_HELP_FLAGS] },
+      { command: "php", default: "ask", argPatterns: [...inlineExecPatterns("PHP", ["^-r$"]), VERSION_HELP_FLAGS] },
       // --- Java ecosystem ---
       { command: "java", default: "ask", argPatterns: [VERSION_HELP_FLAGS] },
       { command: "javac", default: "allow" },
@@ -19813,6 +19906,18 @@ function mergeNonLayerFields(config, raw) {
   if (typeof raw.notifyOnDeny === "boolean") {
     config.notifyOnDeny = raw.notifyOnDeny;
   }
+  if (typeof raw.sessionGuidance === "string" || raw.sessionGuidance === false) {
+    config.sessionGuidance = raw.sessionGuidance;
+  } else if (raw.sessionGuidance !== void 0) {
+    warn(`[warden] Warning: invalid sessionGuidance (expected string or false), ignoring
+`);
+  }
+  if (typeof raw.tempScriptDir === "string" && raw.tempScriptDir.length > 0) {
+    config.tempScriptDir = raw.tempScriptDir;
+  } else if (raw.tempScriptDir !== void 0) {
+    warn(`[warden] Warning: invalid tempScriptDir (expected non-empty string), ignoring
+`);
+  }
   if (raw.skills && typeof raw.skills === "object") {
     const skills = raw.skills;
     if (typeof skills.defaultDecision === "string") {

package/dist/copilot.cjs

@@ -18860,6 +18860,91 @@ function registryOpsPattern() {
     reason: "Registry modification"
   };
 }
+var INLINE_LANG_CONFIG = {
+  Python: {
+    ext: "py",
+    patterns: [
+      "os\\.system",
+      "subprocess",
+      "commands\\.",
+      "pty\\.",
+      `__import__\\s*\\(\\s*['"](?:os|subprocess|socket)`,
+      "\\bexec\\s*\\(",
+      "\\beval\\s*\\(",
+      `open\\s*\\([^)]*['"][wax+]`,
+      "\\bsocket\\b",
+      "urllib",
+      "requests\\.",
+      "http\\.client"
+    ]
+  },
+  JavaScript: {
+    ext: "js",
+    patterns: [
+      "child[_]process",
+      `require\\s*\\(\\s*['"]child[_]process`,
+      "\\.(?:writeFile|appendFile|createWriteStream|writeFileSync|appendFileSync)\\s*\\(",
+      "http\\.request",
+      "https\\.request",
+      "net\\.(?:connect|createConnection)",
+      "fetch\\s*\\("
+    ]
+  },
+  Ruby: {
+    ext: "rb",
+    patterns: [
+      "`",
+      "%x[\\(\\{\\[]",
+      "\\bsystem\\s*\\(",
+      "\\bexec\\s*\\(",
+      "IO\\.popen",
+      "Kernel\\.",
+      "\\bspawn\\s*\\(",
+      `File\\.open\\s*\\([^)]*['"][wax+]`,
+      "File\\.write",
+      "open-uri",
+      "Net::HTTP"
+    ]
+  },
+  Perl: {
+    ext: "pl",
+    patterns: [
+      "`",
+      "qx[\\(\\{\\[/]",
+      "\\bsystem\\s*\\(",
+      "\\bexec\\s*\\(",
+      `open\\s*\\([^)]*['"][>|+]`
+    ]
+  },
+  PHP: {
+    ext: "php",
+    patterns: [
+      "`",
+      "shell_exec",
+      "\\b(?:system|passthru|popen|proc_open)\\s*\\(",
+      "\\bexec\\s*\\(",
+      "file_put_contents",
+      "fwrite",
+      `fopen\\s*\\([^)]*['"][wax+]`,
+      "curl_exec",
+      "fsockopen"
+    ]
+  }
+};
+function inlineExecPatterns(lang, flags) {
+  const { ext, patterns } = INLINE_LANG_CONFIG[lang];
+  const reason = `Inline ${lang} is hard to audit. For JSON, prefer \`jq\`. For reuse, save to scripts/*.${ext} and run it.`;
+  const flagAlt = flags.map((f) => f.replace(/^\^/, "").replace(/\$$/, "")).join("|");
+  const compound = `(?:^|\\s)(?:${flagAlt})[\\s=][^\\n]{0,16000}?(?:${patterns.join("|")})`;
+  return [
+    { match: { argsMatch: [compound] }, decision: "ask", reason },
+    {
+      match: { anyArgMatches: flags },
+      decision: "allow",
+      description: `Plausibly read-only inline ${lang} script`
+    }
+  ];
+}
 function pkgManagerRule(command, extraSafeCmds = []) {
   const safeCmds = [...SAFE_PKG_MANAGER_CMDS, ...extraSafeCmds];
   return {
@@ -18933,6 +19018,18 @@ var DEFAULT_SKILL_RULES = {
     rules: []
   }]
 };
+var DEFAULT_TEMP_SCRIPT_DIR = "/tmp";
+function buildDefaultSessionGuidance(tempScriptDir) {
+  return [
+    "Claude Warden is active. It filters Bash commands against safety rules and may ask or deny.",
+    "",
+    "- For JSON in shell pipelines, prefer `jq` (auto-allowed) over `python3 -c` / `node -e`.",
+    `- For multi-line logic, save a temp script under \`${tempScriptDir}/\` (e.g. \`${tempScriptDir}/warden-task.sh\`) or add a \`package.json\` script rather than inline \`bash -c\` / \`node -e\`. Avoid polluting the repo with throwaway scripts.`,
+    "- When Warden denies or asks, read the reason \u2014 it often names the preferred alternative.",
+    "- To permanently allow a specific command, run `/warden:allow <cmd>`. To temporarily bypass filtering, `/warden:yolo`."
+  ].join("\n");
+}
+var DEFAULT_SESSION_GUIDANCE = buildDefaultSessionGuidance(DEFAULT_TEMP_SCRIPT_DIR);
 var DEFAULT_CONFIG = {
   defaultDecision: "ask",
   askOnSubshell: true,
@@ -19231,7 +19328,7 @@ var DEFAULT_CONFIG = {
         command: "node",
         default: "ask",
         argPatterns: [
-          { match: { anyArgMatches: ["^-e$", "^--eval", "^-p$", "^--print"] }, decision: "ask", reason: "Evaluating inline code" },
+          ...inlineExecPatterns("JavaScript", ["^-e$", "^--eval", "^-p$", "^--print"]),
           { match: { anyArgMatches: ["^--(version|help)$", "^-[vh]$"] }, decision: "allow", description: "Version/help flags" },
           { match: { noArgs: true }, decision: "ask", reason: "Interactive REPL" }
         ]
@@ -19260,6 +19357,7 @@ var DEFAULT_CONFIG = {
         command: cmd,
         default: "ask",
         argPatterns: [
+          ...inlineExecPatterns("Python", ["^-c$"]),
           { match: { anyArgMatches: ["^--(version|help)$", "^-V$"] }, decision: "allow" }
         ]
       })),
@@ -19418,14 +19516,9 @@ var DEFAULT_CONFIG = {
         argPatterns: [VERSION_HELP_FLAGS]
       })),
       // --- Scripting languages ---
-      ...["ruby", "perl", "php"].map((cmd) => ({
-        command: cmd,
-        default: "ask",
-        argPatterns: [
-          { match: { anyArgMatches: ["^-e$", "^--eval"] }, decision: "ask", reason: "Inline code execution" },
-          VERSION_HELP_FLAGS
-        ]
-      })),
+      { command: "ruby", default: "ask", argPatterns: [...inlineExecPatterns("Ruby", ["^-e$", "^--eval"]), VERSION_HELP_FLAGS] },
+      { command: "perl", default: "ask", argPatterns: [...inlineExecPatterns("Perl", ["^-e$", "^-E$"]), VERSION_HELP_FLAGS] },
+      { command: "php", default: "ask", argPatterns: [...inlineExecPatterns("PHP", ["^-r$"]), VERSION_HELP_FLAGS] },
       // --- Java ecosystem ---
       { command: "java", default: "ask", argPatterns: [VERSION_HELP_FLAGS] },
       { command: "javac", default: "allow" },
@@ -19806,6 +19899,18 @@ function mergeNonLayerFields(config, raw) {
   if (typeof raw.notifyOnDeny === "boolean") {
     config.notifyOnDeny = raw.notifyOnDeny;
   }
+  if (typeof raw.sessionGuidance === "string" || raw.sessionGuidance === false) {
+    config.sessionGuidance = raw.sessionGuidance;
+  } else if (raw.sessionGuidance !== void 0) {
+    warn(`[warden] Warning: invalid sessionGuidance (expected string or false), ignoring
+`);
+  }
+  if (typeof raw.tempScriptDir === "string" && raw.tempScriptDir.length > 0) {
+    config.tempScriptDir = raw.tempScriptDir;
+  } else if (raw.tempScriptDir !== void 0) {
+    warn(`[warden] Warning: invalid tempScriptDir (expected non-empty string), ignoring
+`);
+  }
   if (raw.skills && typeof raw.skills === "object") {
     const skills = raw.skills;
     if (typeof skills.defaultDecision === "string") {

package/dist/index.cjs

@@ -18860,6 +18860,91 @@ function registryOpsPattern() {
     reason: "Registry modification"
   };
 }
+var INLINE_LANG_CONFIG = {
+  Python: {
+    ext: "py",
+    patterns: [
+      "os\\.system",
+      "subprocess",
+      "commands\\.",
+      "pty\\.",
+      `__import__\\s*\\(\\s*['"](?:os|subprocess|socket)`,
+      "\\bexec\\s*\\(",
+      "\\beval\\s*\\(",
+      `open\\s*\\([^)]*['"][wax+]`,
+      "\\bsocket\\b",
+      "urllib",
+      "requests\\.",
+      "http\\.client"
+    ]
+  },
+  JavaScript: {
+    ext: "js",
+    patterns: [
+      "child[_]process",
+      `require\\s*\\(\\s*['"]child[_]process`,
+      "\\.(?:writeFile|appendFile|createWriteStream|writeFileSync|appendFileSync)\\s*\\(",
+      "http\\.request",
+      "https\\.request",
+      "net\\.(?:connect|createConnection)",
+      "fetch\\s*\\("
+    ]
+  },
+  Ruby: {
+    ext: "rb",
+    patterns: [
+      "`",
+      "%x[\\(\\{\\[]",
+      "\\bsystem\\s*\\(",
+      "\\bexec\\s*\\(",
+      "IO\\.popen",
+      "Kernel\\.",
+      "\\bspawn\\s*\\(",
+      `File\\.open\\s*\\([^)]*['"][wax+]`,
+      "File\\.write",
+      "open-uri",
+      "Net::HTTP"
+    ]
+  },
+  Perl: {
+    ext: "pl",
+    patterns: [
+      "`",
+      "qx[\\(\\{\\[/]",
+      "\\bsystem\\s*\\(",
+      "\\bexec\\s*\\(",
+      `open\\s*\\([^)]*['"][>|+]`
+    ]
+  },
+  PHP: {
+    ext: "php",
+    patterns: [
+      "`",
+      "shell_exec",
+      "\\b(?:system|passthru|popen|proc_open)\\s*\\(",
+      "\\bexec\\s*\\(",
+      "file_put_contents",
+      "fwrite",
+      `fopen\\s*\\([^)]*['"][wax+]`,
+      "curl_exec",
+      "fsockopen"
+    ]
+  }
+};
+function inlineExecPatterns(lang, flags) {
+  const { ext, patterns } = INLINE_LANG_CONFIG[lang];
+  const reason = `Inline ${lang} is hard to audit. For JSON, prefer \`jq\`. For reuse, save to scripts/*.${ext} and run it.`;
+  const flagAlt = flags.map((f) => f.replace(/^\^/, "").replace(/\$$/, "")).join("|");
+  const compound = `(?:^|\\s)(?:${flagAlt})[\\s=][^\\n]{0,16000}?(?:${patterns.join("|")})`;
+  return [
+    { match: { argsMatch: [compound] }, decision: "ask", reason },
+    {
+      match: { anyArgMatches: flags },
+      decision: "allow",
+      description: `Plausibly read-only inline ${lang} script`
+    }
+  ];
+}
 function pkgManagerRule(command, extraSafeCmds = []) {
   const safeCmds = [...SAFE_PKG_MANAGER_CMDS, ...extraSafeCmds];
   return {
@@ -18933,6 +19018,18 @@ var DEFAULT_SKILL_RULES = {
     rules: []
   }]
 };
+var DEFAULT_TEMP_SCRIPT_DIR = "/tmp";
+function buildDefaultSessionGuidance(tempScriptDir) {
+  return [
+    "Claude Warden is active. It filters Bash commands against safety rules and may ask or deny.",
+    "",
+    "- For JSON in shell pipelines, prefer `jq` (auto-allowed) over `python3 -c` / `node -e`.",
+    `- For multi-line logic, save a temp script under \`${tempScriptDir}/\` (e.g. \`${tempScriptDir}/warden-task.sh\`) or add a \`package.json\` script rather than inline \`bash -c\` / \`node -e\`. Avoid polluting the repo with throwaway scripts.`,
+    "- When Warden denies or asks, read the reason \u2014 it often names the preferred alternative.",
+    "- To permanently allow a specific command, run `/warden:allow <cmd>`. To temporarily bypass filtering, `/warden:yolo`."
+  ].join("\n");
+}
+var DEFAULT_SESSION_GUIDANCE = buildDefaultSessionGuidance(DEFAULT_TEMP_SCRIPT_DIR);
 var DEFAULT_CONFIG = {
   defaultDecision: "ask",
   askOnSubshell: true,
@@ -19231,7 +19328,7 @@ var DEFAULT_CONFIG = {
         command: "node",
         default: "ask",
         argPatterns: [
-          { match: { anyArgMatches: ["^-e$", "^--eval", "^-p$", "^--print"] }, decision: "ask", reason: "Evaluating inline code" },
+          ...inlineExecPatterns("JavaScript", ["^-e$", "^--eval", "^-p$", "^--print"]),
           { match: { anyArgMatches: ["^--(version|help)$", "^-[vh]$"] }, decision: "allow", description: "Version/help flags" },
           { match: { noArgs: true }, decision: "ask", reason: "Interactive REPL" }
         ]
@@ -19260,6 +19357,7 @@ var DEFAULT_CONFIG = {
         command: cmd,
         default: "ask",
         argPatterns: [
+          ...inlineExecPatterns("Python", ["^-c$"]),
           { match: { anyArgMatches: ["^--(version|help)$", "^-V$"] }, decision: "allow" }
         ]
       })),
@@ -19418,14 +19516,9 @@ var DEFAULT_CONFIG = {
         argPatterns: [VERSION_HELP_FLAGS]
       })),
       // --- Scripting languages ---
-      ...["ruby", "perl", "php"].map((cmd) => ({
-        command: cmd,
-        default: "ask",
-        argPatterns: [
-          { match: { anyArgMatches: ["^-e$", "^--eval"] }, decision: "ask", reason: "Inline code execution" },
-          VERSION_HELP_FLAGS
-        ]
-      })),
+      { command: "ruby", default: "ask", argPatterns: [...inlineExecPatterns("Ruby", ["^-e$", "^--eval"]), VERSION_HELP_FLAGS] },
+      { command: "perl", default: "ask", argPatterns: [...inlineExecPatterns("Perl", ["^-e$", "^-E$"]), VERSION_HELP_FLAGS] },
+      { command: "php", default: "ask", argPatterns: [...inlineExecPatterns("PHP", ["^-r$"]), VERSION_HELP_FLAGS] },
       // --- Java ecosystem ---
       { command: "java", default: "ask", argPatterns: [VERSION_HELP_FLAGS] },
       { command: "javac", default: "allow" },
@@ -19806,6 +19899,18 @@ function mergeNonLayerFields(config, raw) {
   if (typeof raw.notifyOnDeny === "boolean") {
     config.notifyOnDeny = raw.notifyOnDeny;
   }
+  if (typeof raw.sessionGuidance === "string" || raw.sessionGuidance === false) {
+    config.sessionGuidance = raw.sessionGuidance;
+  } else if (raw.sessionGuidance !== void 0) {
+    warn(`[warden] Warning: invalid sessionGuidance (expected string or false), ignoring
+`);
+  }
+  if (typeof raw.tempScriptDir === "string" && raw.tempScriptDir.length > 0) {
+    config.tempScriptDir = raw.tempScriptDir;
+  } else if (raw.tempScriptDir !== void 0) {
+    warn(`[warden] Warning: invalid tempScriptDir (expected non-empty string), ignoring
+`);
+  }
   if (raw.skills && typeof raw.skills === "object") {
     const skills = raw.skills;
     if (typeof skills.defaultDecision === "string") {
@@ -20990,6 +21095,18 @@ function emitDecision(decision, reason, stderrMessage) {
   }
   process.exit(0);
 }
+function handleSessionStart(config) {
+  if (config.sessionGuidance === false) process.exit(0);
+  const text = config.sessionGuidance ?? buildDefaultSessionGuidance(config.tempScriptDir ?? DEFAULT_TEMP_SCRIPT_DIR);
+  const output = {
+    hookSpecificOutput: {
+      hookEventName: "SessionStart",
+      additionalContext: text
+    }
+  };
+  process.stdout.write(JSON.stringify(output));
+  process.exit(0);
+}
 function handleYoloMode(sessionId, result) {
   const yoloState = getYoloState(sessionId);
   if (!yoloState) return;
@@ -21011,6 +21128,10 @@ async function main() {
   } catch {
     process.exit(0);
   }
+  if (input.hook_event_name === "SessionStart") {
+    const config2 = loadConfig(input.cwd);
+    handleSessionStart(config2);
+  }
   if (input.tool_name !== "Bash" && input.tool_name !== "Skill") {
     process.exit(0);
   }

package/hooks/hooks.json

@@ -22,6 +22,17 @@
           }
         ]
       }
+    ],
+    "SessionStart": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "${CLAUDE_PLUGIN_ROOT}/dist/index.cjs",
+            "timeout": 5
+          }
+        ]
+      }
     ]
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-warden",
-  "version": "2.7.0",
+  "version": "2.8.1",
   "description": "Smart command safety filter for Claude Code — auto-approves safe commands, blocks dangerous ones",
   "type": "module",
   "main": "dist/index.cjs",