What is Warden?
Runtime governance for AI coding agents. — Changelog
Warden is the runtime governance layer for coding agents. It intercepts tool calls before they reach your environment, enforces safety policy deterministically, compresses noisy output, and provides bounded session guidance to keep long runs productive.
Warden works with Claude Code, Gemini CLI, and Codex CLI. It installs in one command, requires zero configuration, and runs silently in the background. When a session is healthy, you won’t know it’s there. When things start degrading, Warden intervenes.
Privacy & Locality
Every safety decision, every session signal, every output compression happens on your machine.
- No telemetry. No analytics, no usage tracking, no phone-home.
- No cloud dependencies. All rules are compiled into the binary. No downloads, no external services during operation.
- Your code stays on your machine. Warden reads tool call metadata (command names, file paths, exit codes). It does not read, copy, or transmit your source code.
- Free to use. No subscription, no premium tier.
The
updateandinstallcommands fetch releases from GitHub. No other network calls are made.
What Warden Does
Warden makes four kinds of interventions:
- Blocks dangerous actions. Destructive commands, credential leaks, hallucinated flags, and unsafe patterns are denied before they execute. The agent receives an explanation and a safe alternative.
- Compresses noisy output. Build logs, test suites, and install output are reduced to what the agent actually needs — errors, warnings, and summaries. Context waste drops dramatically.
- Teaches better tool choices. When the agent reaches for a legacy tool, Warden redirects it to a faster modern alternative (
grep→rg,find→fd). The agent learns the substitution and uses it for the rest of the session. - Guides struggling sessions. Warden monitors focus, detects loops, tracks verification debt, and injects targeted corrections when a session drifts. Healthy sessions run silently.
How It Works
Every time your AI agent makes a tool call:
- The hook fires — Claude Code, Gemini CLI, and Codex CLI support hook scripts that run before and after tool calls. Warden registers itself as those hooks.
- Warden evaluates — the call is checked against compiled safety and quality patterns in a single fast pass.
- A decision is made:
- Pass — the command proceeds silently. The agent never knows Warden is there.
- Deny — the command is blocked. The agent gets an explanation and a suggested alternative.
- Teach — the command runs (or is redirected), and the agent receives a targeted hint.
- Apply — Warden rewrites the command to a safer or more efficient form.
- Require structure — the agent is asked to restructure its approach before proceeding.
- Post-tool processing — after the command runs, Warden can compress the output, update session state, and detect patterns like loops or drift.
The evaluation is deterministic for safety rules. Session guidance is heuristic and bounded. Both are documented separately.
What Warden Is Not
- Not a harness framework. Warden doesn’t orchestrate multi-agent workflows or coordinate planner/generator/evaluator loops. It governs individual agent sessions from the inside. Harnesses and Warden are complementary — a harness coordinates the work, Warden makes each agent’s session safer.
- Not a memory platform. Warden tracks session state and carries forward a compact resume between sessions. It doesn’t store long-term knowledge graphs or semantic memories.
- Not a hosted service. Everything runs locally. No cloud, no SaaS, no API keys.
- Not a replacement for the agent. Warden doesn’t generate code, write tests, or make architectural decisions. It makes the agent better at doing those things by keeping it safe, focused, and efficient.
Supported Agents
| Agent | Integration | Status |
|---|---|---|
| Claude Code | Native hooks (PreToolUse, PostToolUse, etc.) | Full support |
| Gemini CLI | Native hooks | Full support |
| Codex CLI | Native hooks | Full support |
The same rules, the same session guidance, the same output compression apply regardless of which assistant you use. The only difference is the hook payload format, handled by a thin adapter layer.
What’s Next
- Installation — install and connect to your AI assistant
- Runtime Policy — how Warden evaluates tool calls and the five decision types
- Rule Engine — compiled safety and quality patterns
- Session Intelligence — how Warden tracks session health
- Configuration — customizing Warden’s behavior