Releases: clavenar/clavenar-lite
Release list
v0.4.1 — warden-lite
[0.4.1] - 2026-05-12
Partner-day-1 hardening release. Closes the SQLite-concurrency gap
that hung the warden-lite audit CLI against a running proxy,
sharpens the operator triage queue, and wires the end-to-end smoke
into CI so future changes can't silently break the day-1 surface.
Changed
- SQLite WAL + busy_timeout on ledger open. Lets the
warden-lite auditCLI read the ledger DB concurrently with a
running proxy (previously the second opener deadlocked on the
writer lock and hung indefinitely).busy_timeout=5000backstops
brief contention with a short wait instead ofSQLITE_BUSY. The
:memory:path silently falls back to a memory-mode journal.
Added
pending listsort + color UX. Triage-queue ergonomics: the
parkedfilter now defaults to oldest-first so the
longest-waiting request reads at the top;decidedandall
default to newest-first (history view). Both can be overridden via
?sort=oldest|neweston the server and--sorton the CLI. The
STATUS column emits ANSI color on a TTY (yellow=parked, green=allow,
red=deny) and stays plain text on pipes or whenNO_COLORis set
(https://no-color.org).scripts/smoke-e2e.sh— partner-day-1 quality gate. Boots
warden-lite from a freshly-built local image on a dedicated docker
network with a Python upstream stub, then exercises all three
verdicts, the yellow-tier park-poll-decide loop, second-decide
409, the decide-token gating (rejecting an agent bearer on the
operator endpoint), and a concurrentwarden-lite auditCLI read
against the same DB file (proves WAL works). 20 checks against
the live HTTP surface; cleans up on exit. Wired into CI so every
push proves the gate. Companion tosmoke-install.sh— this one
verifies they actually work.
v0.4.0 — warden-lite
[0.4.0] - 2026-05-12
Partner-readiness release. Closes the gap between "partner says yes"
and "partner is running warden-lite in front of their agent." Single
binary now covers server + operator ops; yellow-tier parks alert
Slack with a one-click-ready decide command line; the SDK demo
demonstrates the canonical operator flow end-to-end.
Added
GET /pending— operator list endpoint. Query params:
?status=parked|decided|all(defaultparked),?limit=N(default
50, server hard-cap 500). Returns array of pending views, newest
requested first. Requires--decide-tokenif configured.warden-lite pending {list,get,decide}CLI subcommands. Talks
to a running warden-lite over HTTP; same wire contract as the
endpoints.pending listprints a table by default,--jsonfor
scripting.pending decidetakes--allowor--deny(mutually
exclusive) + optional--note. Falls back toWARDEN_LITE_URL,
WARDEN_LITE_DECIDE_TOKEN,WARDEN_LITE_TOKENenvs.- Slack-webhook park alerts via
--slack-webhook-url(or
WARDEN_LITE_SLACK_WEBHOOK_URL). Every yellow-tier park spawns a
fire-and-forget POST with the correlation id, agent, tool, review
reasons, and the exactwarden-lite pending decidecommand line
for the approver. One-way — operators decide via the CLI or curl
(no Slack→warden return path; that lives in the full edition's HIL
service). Failed webhooks log atwarnand never block the
agent's 202.
v0.3.0 — warden-lite
[0.3.0] - 2026-05-11
Yellow-tier release. Pairs with
@vanteguardlabs/warden-ai-sdk
v0.2.0+'s async-HIL flow. Adds the wire contract for parking
risky-but-not-banned tool calls for operator approval — a third
verdict between 200 OK (green) and 403 Forbidden (red).
Added
202 Acceptedfrom/mcpwhen the Rego policy'sreviewrule
fires alongsideallow := true. Body is
{status, correlation_id, review_reasons}; the request is parked in
a newpendingsSQLite table awaiting a decide call. The hash chain
keeps the existing entry shape —pendingsis a separate table,
deliberately not part ofHashableEntryV1, so chains produced by
lite remain byte-compatible with the full edition's verifier.POST /pending/:id/decide— operator capability. Accepts
{decision: "allow" | "deny", note?: string}. Single-decision: a
second decide call against the same correlation id returns
409 Conflict. A second ledger entry (PendingApproved/
PendingDenied) is written tied to the same correlation id, so the
audit trail captures both the original park and the final outcome.
Gated by--decide-token/WARDEN_LITE_DECIDE_TOKEN— distinct
from the agent bearer token so an agent cannot self-approve.GET /pending/:id— poll endpoint returning the full pending
view (status, decision, decider_note, RFC 3339 timestamps).- Static linux-x86_64 binary as a GitHub release asset
(warden-lite-<version>-x86_64-linux-musl.tar.gz+ matching
.sha256). Built with musl, fully static, no glibc dependency. For
partners who want the binary on a host without docker. - README "Container" snippet now pulls
ghcr.io/vanteguardlabs/warden-lite:latestdirectly instead of
git clone + docker build.
Migration notes
- Existing 200/403 callers unaffected — yellow tier only fires when
the policy emits bothallow := trueand a non-emptyreviewset.
The defaultgovernance.regoships with areviewrule for
wire_transfer; older policy bundles without anyreviewrules
retain v0.2.0's binary behavior. - The Rego
allowrule previously suppressed itself whenreview
was non-empty (collapsing yellow into red). It now only checks
count(deny) == 0. If you have a custom policy that relied on the
old behavior, gate thereviewrule on whatever conditions you
wanted to deny outright.
v0.2.0 — warden-lite
[0.2.0] - 2026-05-11
Trust-onboarding release. Adds the rollout knob (observe mode), the
audit-trail hook (correlation id), and the container surface
(Dockerfile + Fly.io) so partners can deploy a warden-lite in front
of their agent in 60 seconds without standing up a Rust toolchain.
Added
- Observe mode (
--mode observe/WARDEN_LITE_MODE=observe).
Every request forwards upstream regardless of policy / Brain
verdict. The ledger still recordsauthorized=falsefor would-have-
denied requests so the audit trail of what enforce mode would
have done stays accurate. Responses carryX-Warden-Modeand (on
would-have-denies)X-Warden-Would-Deny: true. - Correlation id on every
/mcpresponse —X-Warden-Correlation-Id
is a UUID v4 minted per request and persisted to a new
correlation_idledger column. Partners catchWardenDeniedSDK-side
and look the call up in the ledger with one query. The column is
deliberately NOT part ofHashableEntryV1, so the hash chain stays
byte-compatible with the full edition's verifier. - Multi-stage Dockerfile producing a 38.5 MB compressed image.
Runs as nonroot UID 65532, tini as PID 1, bundles the default
governance.regoat/etc/warden-lite/policies, all
WARDEN_LITE_*envs honoured. - Fly.io deploy template (
fly.toml) — shared-cpu-1x, 256 MB,
auto-stop/start, observe mode by default. One-click "Deploy on
Fly.io" button on the README. - README "Run it in 60 seconds" + "Try it with your agent" sections
pairing warden-lite with the
@vanteguardlabs/warden-ai-sdk
wrap pattern end-to-end.
Migration notes
- Existing ledger DBs (0.1.0 schema) are upgraded automatically on
the first 0.2.0 boot via idempotentALTER TABLE ADD COLUMN correlation_id TEXT. The migration is read-only on existing rows
(legacy entries returnNonefor the new field) and the hash
chain re-verifies cleanly. - Default mode is still
enforce— upgrading 0.1.0 → 0.2.0 changes
no enforcement behaviour. Opt into observe per-deploy.