claude-warden 2.8.1 → 2.10.0

package/.claude-plugin/marketplace.json

@@ -8,7 +8,7 @@
     {
       "name": "warden",
       "description": "Auto-approves safe commands, blocks dangerous ones, prompts for the rest",
-      "version": "2.8.1",
+      "version": "2.10.0",
       "author": {
         "name": "banyudu"
       },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "warden",
-  "version": "2.8.1",
+  "version": "2.10.0",
   "description": "Smart command safety filter for Claude Code — parses shell pipelines and evaluates per-command safety rules to auto-approve safe commands and block dangerous ones",
   "author": {
     "name": "banyudu"

package/README.md

@@ -6,7 +6,7 @@
 [![GitHub stars](https://img.shields.io/github/stars/banyudu/claude-warden)](https://github.com/banyudu/claude-warden/stargazers)
 [![CI](https://img.shields.io/github/actions/workflow/status/banyudu/claude-warden/ci.yml?label=CI)](https://github.com/banyudu/claude-warden/actions)
 
-Smart command safety filter for [Claude Code](https://claude.ai/code), [GitHub Copilot CLI](https://docs.github.com/en/copilot/how-tos/customize-copilot-cli/use-hooks), and other AI coding agents. Parses shell commands, evaluates each against configurable safety rules, and returns allow/deny/ask decisions — eliminating unnecessary permission prompts while blocking dangerous commands.
+Smart command safety filter for [Claude Code](https://claude.ai/code), [OpenAI Codex CLI](https://developers.openai.com/codex/hooks), [GitHub Copilot CLI](https://docs.github.com/en/copilot/how-tos/customize-copilot-cli/use-hooks), and other AI coding agents. Parses shell commands, evaluates each against configurable safety rules, and returns allow/deny/ask decisions — eliminating unnecessary permission prompts while blocking dangerous commands.
 
 ## The problem
 
@@ -283,8 +283,69 @@ rules:
           anyArgMatches: ['^(ps|images|logs)$']
         decision: allow
         description: Read-only docker commands
+
+# Skill (slash command) filtering — gate Claude Code skill invocations.
+# Skill names use the short form ("commit", not "/commit"). Glob patterns
+# are supported so you can whitelist an entire plugin namespace.
+skills:
+  defaultDecision: ask
+  alwaysAllow:
+    - commit
+    - review
+    - simplify
+    - "plugin-dev:*"      # allow every skill in the "plugin-dev" plugin
+  alwaysDeny:
+    - deploy
+  rules:
+    - skill: release
+      default: ask
+      argPatterns:
+        - match:
+            argsMatch: ["--dry-run"]
+          decision: allow
+          description: Dry-run release is safe
 ```
 
+## Skill (slash command) filtering
+
+Warden also intercepts Claude Code's `Skill` tool (the mechanism behind `/slash-command` invocations) using the same layered rule engine as shell commands. This lets you whitelist safe skills (read-only helpers, code review, summarization) while still prompting for anything that could modify state.
+
+Skill names are the identifier Claude Code uses internally — **without the leading `/`**. Built-in skills use a bare name (`commit`, `review`), plugin skills use `<plugin>:<skill>` (e.g. `plugin-dev:agent-development`, `code-review:code-review`). Glob patterns `*`, `?`, `[...]`, `{a,b,c}` are supported, so `"plugin-dev:*"` matches every skill in that plugin.
+
+### Configure
+
+```yaml
+skills:
+  # Default for skills with no matching rule: allow | deny | ask
+  defaultDecision: ask
+
+  # Auto-allow these skills (scoped to this config layer)
+  alwaysAllow:
+    - commit
+    - review
+    - "plugin-dev:*"
+
+  # Auto-deny these skills
+  alwaysDeny:
+    - deploy
+
+  # Per-skill rules with argument-aware matching
+  rules:
+    - skill: release
+      default: ask
+      argPatterns:
+        - match:
+            argsMatch: ["--dry-run"]
+          decision: allow
+          description: Dry-run release is safe
+```
+
+Layering follows the same **project > user > default** priority as shell rules (see [Config priority](#config-priority-scoped-layers)).
+
+### Built-in skill defaults
+
+Warden ships with a curated allow-list of skills that are read-only or informational — review tools (`review`, `security-review`, `code-review:code-review`), search/summarization helpers (`promptfolio-*`, `slack:find-discussions`, `slack:summarize-channel`), plugin-development guidance (`plugin-dev:*-development`), and `*-usage` docs skills. Everything else falls through to `defaultDecision: ask`.
+
 ## YOLO mode
 
 Need to temporarily bypass all permission prompts? YOLO mode auto-allows all commands for a limited time or the full session — while still blocking always-deny commands (like `sudo`, `shutdown`) for safety.

package/dist/cli.cjs

@@ -18280,7 +18280,6 @@ function walkNode(node, result) {
       break;
     }
     case "Subshell": {
-      result.hasSubshell = true;
       const subshell = node;
       if (subshell.list?.commands) {
         for (const cmd of subshell.list.commands) {
@@ -18740,6 +18739,7 @@ var SAFE_DEV_TOOLS = [
   "jest",
   "vitest",
   "tsc",
+  "tsgo",
   "eslint",
   "prettier",
   "mkdirp",
@@ -19407,6 +19407,7 @@ var DEFAULT_CONFIG = {
       },
       { command: "rustup", default: "allow" },
       { command: "tsc", default: "allow" },
+      { command: "tsgo", default: "allow" },
       { command: "turbo", default: "allow" },
       { command: "nx", default: "allow" },
       { command: "lerna", default: "allow" },
@@ -19517,7 +19518,18 @@ var DEFAULT_CONFIG = {
       })),
       // --- Scripting languages ---
       { command: "ruby", default: "ask", argPatterns: [...inlineExecPatterns("Ruby", ["^-e$", "^--eval"]), VERSION_HELP_FLAGS] },
-      { command: "perl", default: "ask", argPatterns: [...inlineExecPatterns("Perl", ["^-e$", "^-E$"]), VERSION_HELP_FLAGS] },
+      // `[npa]` bundles perl's common read-only short flags (`-pe`, `-ne`, `-ane`).
+      // `-i` (in-place edit) mutates files — detected separately so it's caught whether
+      // bundled (`-pie`, `-pi`) or passed as its own arg (`-i -pe`, `-i.bak -pe`).
+      {
+        command: "perl",
+        default: "ask",
+        argPatterns: [
+          { match: { anyArgMatches: ["^-[a-z]*i"] }, decision: "ask", reason: "Perl `-i` does in-place file edits. Save the script to scripts/*.pl and run it." },
+          ...inlineExecPatterns("Perl", ["^-[npa]*[eE]$"]),
+          VERSION_HELP_FLAGS
+        ]
+      },
       { command: "php", default: "ask", argPatterns: [...inlineExecPatterns("PHP", ["^-r$"]), VERSION_HELP_FLAGS] },
       // --- Java ecosystem ---
       { command: "java", default: "ask", argPatterns: [VERSION_HELP_FLAGS] },

package/dist/codex-export.cjs

@@ -18284,7 +18284,6 @@ function walkNode(node, result) {
       break;
     }
     case "Subshell": {
-      result.hasSubshell = true;
       const subshell = node;
       if (subshell.list?.commands) {
         for (const cmd of subshell.list.commands) {
@@ -18744,6 +18743,7 @@ var SAFE_DEV_TOOLS = [
   "jest",
   "vitest",
   "tsc",
+  "tsgo",
   "eslint",
   "prettier",
   "mkdirp",
@@ -19411,6 +19411,7 @@ var DEFAULT_CONFIG = {
       },
       { command: "rustup", default: "allow" },
       { command: "tsc", default: "allow" },
+      { command: "tsgo", default: "allow" },
       { command: "turbo", default: "allow" },
       { command: "nx", default: "allow" },
       { command: "lerna", default: "allow" },
@@ -19521,7 +19522,18 @@ var DEFAULT_CONFIG = {
       })),
       // --- Scripting languages ---
       { command: "ruby", default: "ask", argPatterns: [...inlineExecPatterns("Ruby", ["^-e$", "^--eval"]), VERSION_HELP_FLAGS] },
-      { command: "perl", default: "ask", argPatterns: [...inlineExecPatterns("Perl", ["^-e$", "^-E$"]), VERSION_HELP_FLAGS] },
+      // `[npa]` bundles perl's common read-only short flags (`-pe`, `-ne`, `-ane`).
+      // `-i` (in-place edit) mutates files — detected separately so it's caught whether
+      // bundled (`-pie`, `-pi`) or passed as its own arg (`-i -pe`, `-i.bak -pe`).
+      {
+        command: "perl",
+        default: "ask",
+        argPatterns: [
+          { match: { anyArgMatches: ["^-[a-z]*i"] }, decision: "ask", reason: "Perl `-i` does in-place file edits. Save the script to scripts/*.pl and run it." },
+          ...inlineExecPatterns("Perl", ["^-[npa]*[eE]$"]),
+          VERSION_HELP_FLAGS
+        ]
+      },
       { command: "php", default: "ask", argPatterns: [...inlineExecPatterns("PHP", ["^-r$"]), VERSION_HELP_FLAGS] },
       // --- Java ecosystem ---
       { command: "java", default: "ask", argPatterns: [VERSION_HELP_FLAGS] },

package/dist/copilot.cjs

@@ -18280,7 +18280,6 @@ function walkNode(node, result) {
       break;
     }
     case "Subshell": {
-      result.hasSubshell = true;
       const subshell = node;
       if (subshell.list?.commands) {
         for (const cmd of subshell.list.commands) {
@@ -18740,6 +18739,7 @@ var SAFE_DEV_TOOLS = [
   "jest",
   "vitest",
   "tsc",
+  "tsgo",
   "eslint",
   "prettier",
   "mkdirp",
@@ -19407,6 +19407,7 @@ var DEFAULT_CONFIG = {
       },
       { command: "rustup", default: "allow" },
       { command: "tsc", default: "allow" },
+      { command: "tsgo", default: "allow" },
       { command: "turbo", default: "allow" },
       { command: "nx", default: "allow" },
       { command: "lerna", default: "allow" },
@@ -19517,7 +19518,18 @@ var DEFAULT_CONFIG = {
       })),
       // --- Scripting languages ---
       { command: "ruby", default: "ask", argPatterns: [...inlineExecPatterns("Ruby", ["^-e$", "^--eval"]), VERSION_HELP_FLAGS] },
-      { command: "perl", default: "ask", argPatterns: [...inlineExecPatterns("Perl", ["^-e$", "^-E$"]), VERSION_HELP_FLAGS] },
+      // `[npa]` bundles perl's common read-only short flags (`-pe`, `-ne`, `-ane`).
+      // `-i` (in-place edit) mutates files — detected separately so it's caught whether
+      // bundled (`-pie`, `-pi`) or passed as its own arg (`-i -pe`, `-i.bak -pe`).
+      {
+        command: "perl",
+        default: "ask",
+        argPatterns: [
+          { match: { anyArgMatches: ["^-[a-z]*i"] }, decision: "ask", reason: "Perl `-i` does in-place file edits. Save the script to scripts/*.pl and run it." },
+          ...inlineExecPatterns("Perl", ["^-[npa]*[eE]$"]),
+          VERSION_HELP_FLAGS
+        ]
+      },
       { command: "php", default: "ask", argPatterns: [...inlineExecPatterns("PHP", ["^-r$"]), VERSION_HELP_FLAGS] },
       // --- Java ecosystem ---
       { command: "java", default: "ask", argPatterns: [VERSION_HELP_FLAGS] },

package/dist/index.cjs

@@ -18280,7 +18280,6 @@ function walkNode(node, result) {
       break;
     }
     case "Subshell": {
-      result.hasSubshell = true;
       const subshell = node;
       if (subshell.list?.commands) {
         for (const cmd of subshell.list.commands) {
@@ -18740,6 +18739,7 @@ var SAFE_DEV_TOOLS = [
   "jest",
   "vitest",
   "tsc",
+  "tsgo",
   "eslint",
   "prettier",
   "mkdirp",
@@ -19407,6 +19407,7 @@ var DEFAULT_CONFIG = {
       },
       { command: "rustup", default: "allow" },
       { command: "tsc", default: "allow" },
+      { command: "tsgo", default: "allow" },
       { command: "turbo", default: "allow" },
       { command: "nx", default: "allow" },
       { command: "lerna", default: "allow" },
@@ -19517,7 +19518,18 @@ var DEFAULT_CONFIG = {
       })),
       // --- Scripting languages ---
       { command: "ruby", default: "ask", argPatterns: [...inlineExecPatterns("Ruby", ["^-e$", "^--eval"]), VERSION_HELP_FLAGS] },
-      { command: "perl", default: "ask", argPatterns: [...inlineExecPatterns("Perl", ["^-e$", "^-E$"]), VERSION_HELP_FLAGS] },
+      // `[npa]` bundles perl's common read-only short flags (`-pe`, `-ne`, `-ane`).
+      // `-i` (in-place edit) mutates files — detected separately so it's caught whether
+      // bundled (`-pie`, `-pi`) or passed as its own arg (`-i -pe`, `-i.bak -pe`).
+      {
+        command: "perl",
+        default: "ask",
+        argPatterns: [
+          { match: { anyArgMatches: ["^-[a-z]*i"] }, decision: "ask", reason: "Perl `-i` does in-place file edits. Save the script to scripts/*.pl and run it." },
+          ...inlineExecPatterns("Perl", ["^-[npa]*[eE]$"]),
+          VERSION_HELP_FLAGS
+        ]
+      },
       { command: "php", default: "ask", argPatterns: [...inlineExecPatterns("PHP", ["^-r$"]), VERSION_HELP_FLAGS] },
       // --- Java ecosystem ---
       { command: "java", default: "ask", argPatterns: [VERSION_HELP_FLAGS] },
@@ -20911,11 +20923,12 @@ function generateAllowSnippet(details) {
   }
   return lines.join("\n");
 }
-function formatSystemMessage(decision, rawCommand, details) {
+function formatSystemMessage(decision, rawCommand, details, fallbackReason) {
   const relevant = details.filter((d) => d.decision !== "allow");
   if (decision === "ask") {
     const parts = relevant.map((d) => `\`${d.command}\`: ${d.reason}`);
-    const header = `[warden] ${parts.join(" | ")}`;
+    const body = parts.length > 0 ? parts.join(" | ") : fallbackReason || "";
+    const header = `[warden] ${body}`;
     const subcommandHints = relevant.filter((d) => d.args.length > 0).map((d) => {
       const sub = d.args[0];
       return `  Option A: Allow all \`${d.command}\` \u2192 \`/warden:allow ${d.command}\`
@@ -21189,14 +21202,14 @@ function emitResult(result, label, config) {
       const truncated = label.length > 80 ? label.slice(0, 77) + "..." : label;
       sendNotification("Claude Warden", `Blocked: ${truncated}`, config);
     }
-    const msg2 = formatSystemMessage("deny", label, result.details);
+    const msg2 = formatSystemMessage("deny", label, result.details, result.reason);
     emitDecision("deny", msg2, `[warden] Blocked: ${result.reason}`);
   }
   if (config.notifyOnAsk) {
     const truncated = label.length > 80 ? label.slice(0, 77) + "..." : label;
     sendNotification("Claude Warden", `Permission needed: ${truncated}`, config);
   }
-  const msg = formatSystemMessage("ask", label, result.details);
+  const msg = formatSystemMessage("ask", label, result.details, result.reason);
   emitDecision("ask", msg);
 }
 main().catch(() => process.exit(0));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-warden",
-  "version": "2.8.1",
+  "version": "2.10.0",
   "description": "Smart command safety filter for Claude Code — auto-approves safe commands, blocks dangerous ones",
   "type": "module",
   "main": "dist/index.cjs",