v0.3.0 — warden-lite
[0.3.0] - 2026-05-11
Yellow-tier release. Pairs with
@vanteguardlabs/warden-ai-sdk
v0.2.0+'s async-HIL flow. Adds the wire contract for parking
risky-but-not-banned tool calls for operator approval — a third
verdict between 200 OK (green) and 403 Forbidden (red).
Added
202 Acceptedfrom/mcpwhen the Rego policy'sreviewrule
fires alongsideallow := true. Body is
{status, correlation_id, review_reasons}; the request is parked in
a newpendingsSQLite table awaiting a decide call. The hash chain
keeps the existing entry shape —pendingsis a separate table,
deliberately not part ofHashableEntryV1, so chains produced by
lite remain byte-compatible with the full edition's verifier.POST /pending/:id/decide— operator capability. Accepts
{decision: "allow" | "deny", note?: string}. Single-decision: a
second decide call against the same correlation id returns
409 Conflict. A second ledger entry (PendingApproved/
PendingDenied) is written tied to the same correlation id, so the
audit trail captures both the original park and the final outcome.
Gated by--decide-token/WARDEN_LITE_DECIDE_TOKEN— distinct
from the agent bearer token so an agent cannot self-approve.GET /pending/:id— poll endpoint returning the full pending
view (status, decision, decider_note, RFC 3339 timestamps).- Static linux-x86_64 binary as a GitHub release asset
(warden-lite-<version>-x86_64-linux-musl.tar.gz+ matching
.sha256). Built with musl, fully static, no glibc dependency. For
partners who want the binary on a host without docker. - README "Container" snippet now pulls
ghcr.io/vanteguardlabs/warden-lite:latestdirectly instead of
git clone + docker build.
Migration notes
- Existing 200/403 callers unaffected — yellow tier only fires when
the policy emits bothallow := trueand a non-emptyreviewset.
The defaultgovernance.regoships with areviewrule for
wire_transfer; older policy bundles without anyreviewrules
retain v0.2.0's binary behavior. - The Rego
allowrule previously suppressed itself whenreview
was non-empty (collapsing yellow into red). It now only checks
count(deny) == 0. If you have a custom policy that relied on the
old behavior, gate thereviewrule on whatever conditions you
wanted to deny outright.