# Claude Warden - Default Configuration Reference
#
# Copy to ~/.claude/warden.yaml (user-level) or .claude/warden.yaml (project-level) to customize.
#
# Config priority: project > user > built-in defaults.
# Within each scope, alwaysDeny is checked before alwaysAllow, and the first
# scope with a matching rule wins (e.g. a project rule overrides a user rule
# for the same command).

# Default decision for commands not covered by any rule: allow | deny | ask
defaultDecision: ask

# If true, commands containing $() or backticks trigger "ask"
askOnSubshell: true

# Send OS notifications when warden prompts for permission or blocks a command.
# On macOS, uses terminal-notifier (click to activate terminal) or osascript fallback.
# On Linux, uses notify-send.
notifyOnAsk: true
notifyOnDeny: true

# Additional commands to always allow (checked after alwaysDeny within this scope)
# alwaysAllow:
#   - terraform
#   - flyctl
#   - my-safe-tool

# Additional commands to always deny (checked first within this scope)
# alwaysDeny:
#   - nc
#   - ncat

# Remote execution contexts — SSH, Docker, kubectl, Sprite, Fly.io
# Commands on trusted remotes are recursively evaluated through warden rules.
# Supports glob patterns (* wildcards) for names.
# trustedRemotes:
#   - context: ssh
#     name: devserver
#   - context: ssh
#     name: staging-*
#   - context: ssh
#     name: "*.internal.company.com"
#   - context: ssh
#     name: prod-bastion
#     overrides:
#       alwaysAllow: [systemctl]
#   - context: docker
#     name: my-app
#   - context: docker
#     name: dev-container
#     allowAll: true                 # skip all checks (disposable env)
#   - context: docker
#     name: staging-*
#     overrides:
#       alwaysAllow: [sudo, apt]
#   - context: kubectl
#     name: minikube
#   - context: kubectl
#     name: dev-cluster-*
#     overrides:
#       alwaysAllow: [sudo]
#   - context: kubectl
#     name: prod-cluster
#     overrides:
#       alwaysDeny: [rm]
#   - context: sprite
#     name: my-sprite
#   - context: sprite
#     name: yudu-claw
#     allowAll: true
#   - context: sprite
#     name: dev-*
#     overrides:
#       alwaysAllow: [sudo, apt]
#   - context: fly
#     name: my-fly-app
#   - context: fly
#     name: staging-*
#     allowAll: true
#   - context: fly
#     name: prod-app
#     overrides:
#       alwaysAllow: [sudo, apt]

# Target-based policies — override decisions based on paths, databases, or endpoints.
# targetPolicies:
#   - type: path
#     path: /tmp
#     allowAll: true                 # any command targeting /tmp is auto-allowed
#   - type: path
#     path: "{{cwd}}"               # expands to the project's working directory
#     decision: allow
#     commands: [rm, cp, mv]        # only override these commands
#   - type: path
#     path: /etc
#     decision: deny                # block modifications to /etc
#     reason: "System config directory"
#   - type: path
#     path: /opt/build
#     recursive: false              # exact match only (not children)
#     decision: allow
#   - type: database
#     host: localhost
#     decision: allow
#   - type: database
#     host: "dev-*.internal"
#     database: "test_*"
#     decision: allow
#   - type: database
#     host: "prod.example.com"
#     decision: deny
#     reason: "Production database"
#   - type: endpoint
#     pattern: "http://localhost:*"
#     decision: allow
#   - type: endpoint
#     pattern: "https://api.dev.example.com/*"
#     decision: allow
#   - type: endpoint
#     pattern: "https://api.prod.example.com/*"
#     decision: deny
#     reason: "Production API"

# Legacy keys (trustedSSHHosts, trustedDockerContainers, trustedKubectlContexts,
# trustedSprites, trustedFlyApps, trustedPaths, trustedDatabases, trustedEndpoints)
# are still supported and automatically converted to the unified form above.

# Override rules when evaluating commands inside trusted remote contexts
# (docker exec, kubectl exec, ssh, sprite exec). These overrides are applied
# as the highest-priority layer only for remote command evaluation.
# trustedContextOverrides:
#   alwaysAllow:
#     - sudo
#     - apt
#     - apt-get
#   alwaysDeny: []
#   rules: []

# Command-specific rules (override built-in rules by command name).
# The first scope (project > user > default) with a rule for a given command wins.
#
# IMPORTANT: Rules are matched by the command being executed, not by arguments.
# For example, when Claude runs `python -c "import foo"`, warden looks up rules
# for command: "python" — NOT "bash" or "sh". A common mistake is writing rules
# for "bash" with argPatterns matching "python"; this won't work because warden
# sees the command as "python".
#
# rules:
#   # Allow all python commands
#   - command: python
#     default: allow
#
#   # Allow python -c but ask for other python usage
#   - command: python
#     default: ask
#     argPatterns:
#       - match:
#           anyArgMatches: ['^-c$']
#         decision: allow
#         description: Allow python -c inline scripts
#
#   # Allow all node.js execution
#   - command: node
#     default: allow
#
#   # Trust all npx in this project
#   - command: npx
#     default: allow
#
#   # Docker with selective allow
#   - command: docker
#     default: ask
#     argPatterns:
#       - match:
#           anyArgMatches: ['^(ps|images|logs)$']
#         decision: allow
#         description: Read-only docker commands