v0.2.0

Added

• Glob patterns in alwaysAllow/alwaysDeny/rules: * (single segment), ** (any depth) — e.g. ~/.claude/skills/**
• Parser extracts script from bash script.sh invocations — evaluates the script path instead of bash
• Target-aware security policies (path, database, endpoint) that evaluate commands by their targets
• Script safety scanning for python, node/tsx/ts-node, and perl
• npx/bunx/pnpx and uv run recursive evaluation
• Audit logging with JSONL output and size-based rotation
• Conditional export rule — allows PATH extension, asks on PATH replacement and LD_PRELOAD
• Redesigned ask/deny messages with /warden:allow hints

Changed

• Unified trustedSSHHosts, trustedDockerContainers, etc. into single trustedRemotes array with context discriminator

Fixed

• Script evaluators respect user-configured deny rules
• Chain-local rm resolves variables for target policy checking
• Malformed glob patterns in target policies no longer crash
• Target policies checked before chain-resolved auto-allow to prevent bypass
• Eliminated double-evaluation and double-logging in yolo deny path