Claude Warden
Smart command safety filter for Claude Code, OpenAI Codex CLI, GitHub Copilot CLI, and other AI coding agents. Parses shell commands, evaluates each against configurable safety rules, and returns allow/deny/ask decisions — eliminating unnecessary permission prompts while blocking dangerous commands.
The problem
Claude Code's permission system is all-or-nothing. In the default mode, you're prompted for every shell command — even ls, cat, and grep. This creates a painful UX where you're clicking "Allow" hundreds of times per session on obviously safe commands. The alternative (yolo mode) disables all prompts, which is dangerous.
There's no middle ground: you can't say "allow git but block git push --force", or "allow ssh to my dev server but prompt for production". And compound commands like npm run build && npm test trigger a single opaque prompt with no visibility into what's actually being run.
How Warden solves it
Warden hooks into Claude Code's PreToolUse event and parses every shell command into an AST using bash-parser. This means it doesn't just see npm run build && git push --force as a single string — it walks the AST to extract each individual command, then evaluates them independently against a configurable rule engine.
This AST-based approach enables:
- Pipe and chain decomposition:
cat file | grep pattern | wc -l is parsed into three commands, each evaluated separately. All safe → auto-allow. One dangerous → deny the whole pipeline.
- Argument-aware rules:
git status → allow, git push --force → prompt. rm temp.txt → allow, rm -rf / → prompt. The evaluator matches against argument patterns, not just command names.
- Recursive evaluation of remote commands:
ssh devserver 'cat /etc/hosts' → Warden extracts the remote command, parses it through the same pipeline, and allows it. ssh devserver 'sudo rm -rf /' → denied. Same for docker exec, kubectl exec, and sprite exec.
- Shell wrapper unwrapping:
sh -c "npm run build && npm test" → the inner command is extracted and recursively parsed/evaluated, not treated as an opaque string.
- Env prefix handling:
NODE_ENV=production npm run build → correctly evaluates npm run build, ignoring the env prefix.
- Recursive subshell evaluation: Commands with
$() or backticks are extracted, parsed, and recursively evaluated through the same pipeline. echo $(cat file.txt) → both echo and cat are evaluated individually. Only unparseable constructs (heredocs, complex shell syntax) fall back to prompting when askOnSubshell is enabled.
- Feedback on blocked commands: When a command is blocked or flagged, Warden provides a system message explaining why and a YAML snippet showing how to allow it in your config.
The result: 100+ common dev commands auto-approved, dangerous commands auto-denied, everything else configurable — with zero changes to how you use Claude Code.
Before and after
| Command | Without Warden | With Warden |
|---|
ls -la | Prompted | Auto-allowed |
cat file | grep pattern | wc -l | Prompted | Auto-allowed (3 safe commands) |
npm run build && npm test | Prompted | Auto-allowed |
git push --force origin main | Prompted | Prompted (force push is risky) |
sudo rm -rf / | Prompted | Auto-denied (sudo is blocked) |
ssh devserver cat /etc/hosts | Prompted | Auto-allowed (trusted host + safe cmd) |
ssh devserver sudo rm -rf / | Prompted | Auto-denied (trusted host + dangerous cmd) |
Warden vs Auto Mode
Claude Code recently introduced Auto Mode, which uses a background classifier model to approve or block actions without manual prompts. Here's how it compares to Warden:
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
