Documentation

Assistant Boundary

Warden is a runtime governance layer that sits between your AI assistant and your codebase. Understanding the boundary between what Warden controls and what your assistant controls natively helps you configure both effectively.

What Warden Controls

These capabilities are handled by Warden regardless of which assistant you use:

Safety & Policy

Blocking dangerous commands (rm -rf, reverse shells, credential theft)
Substitution transforms (grep → rg, find → fd, curl → xh)
Sensitive file protection (.ssh, .env, credentials)
Prompt injection detection in tool output

Session Intelligence

Session phase tracking (Warmup → Productive → Exploring → Struggling → Late)
Goal extraction and drift detection
Loop detection and verification debt tracking
Focus scoring and advisory injection (trust-gated)

Output Efficiency

Verbose output compression (cargo test, npm install, git diff)
Smart truncation and context budget management
Compaction forecasting

Observability

MCP server for assistant-to-Warden queries
Session quality scoring and anomaly detection
Cross-session learning

What Claude Code Controls

These are native Claude Code features that Warden does not touch:

CLAUDE.md — project instructions, coding style, preferences
Permissions — tool approval prompts (allow/deny)
Context window — what’s loaded, when to compact
Model selection — which Claude model powers the session
Skills — slash commands and custom workflows
Memory — persistent facts across conversations
Settings — settings.json, keybindings, hooks configuration

Warden never reads, writes, or modifies any Claude Code configuration files.

What Gemini CLI Controls

These are native Gemini CLI features that Warden does not touch:

.gemini/ — project configuration directory
Tool policies — which tools are allowed or denied
Context management — what’s included in the prompt
Model selection — which Gemini model is used
Extensions — Gemini CLI plugins and integrations

Warden never reads, writes, or modifies any Gemini CLI configuration files.

What Codex CLI Controls

These are native Codex CLI features that Warden does not touch:

.codex/ — project configuration directory
Tool policies — which tools are allowed or denied
Context management — what’s included in the prompt
Model selection — which OpenAI model is used
Plugins — Codex CLI extensions and integrations

Warden never reads, writes, or modifies any Codex CLI configuration files.

The Shared Boundary

Some behaviors involve both Warden and the assistant:

Area	Assistant’s Role	Warden’s Role
Tool approval	Prompts user for permission	Can deny after permission is granted (safety rules override)
Context injection	Manages its own system prompt	Adds targeted advisories via hook response
File governance	Decides what to read/write	Advises on read patterns, blocks sensitive writes
Error recovery	Decides how to fix errors	Provides recovery hints and pattern-matched suggestions

Design Rules

Warden never overrides the assistant’s permission system. If Claude Code, Gemini CLI, or Codex CLI approves a tool use, Warden can still deny it for safety — but it cannot grant permissions the assistant denied.
Warden never modifies assistant configuration. No writes to .claude/, .gemini/, settings.json, or any assistant-owned files.
Warden is assistant-agnostic. The same rules, the same session intelligence, the same output compression apply regardless of which assistant is running. The only difference is the hook payload format, which is handled by a thin adapter layer.