Skip to content
Dominic edited this page Jul 10, 2026 · 1 revision

Safety & guardrails

Warden has full filesystem, network, email, and scheduling powers on the machine it runs on. It can do a lot — including damage. This page is the short list of rules that keep you from getting burned.

The hard rules

  • Don't run as admin. Warden has full permissions by design. Running it as admin multiplies the blast radius — a typo in a tool call can brick the OS. Use a normal user account.
  • No write access to important things. Email, prod repos, SSH keys, password managers, financial accounts. If you wouldn't hand a stranger the password, don't hand Warden write access.
  • Make backups first. Before letting Warden touch anything you care about, snapshot it. Copy the project directory, save a tarball, or use a real backup tool. Reversible is the goal.
  • Not your only/work computer. If Warden wedges the machine, you need a second one to recover from. Run it on a box you can afford to lose for a day.
  • Watch the verbose bar. It shows what Warden is doing right now. If it's calling tools you didn't expect, hit Stop — don't wait to see what happens.
  • Read BLOCKED messages. When a tool fails, Warden says BLOCKED with the reason. Read it before retrying. Blind retries compound failures.

What Warden can do

Warden has direct access to:

  • The filesystem (read and write — anywhere the user account can).
  • The shell (arbitrary commands, including destructive ones).
  • The network (Atlas opens URLs, fetches pages).
  • Email (if Iris is configured — read, search, draft, send).
  • The scheduler (Dexter can create cron tasks that run later).
  • System processes (Stop/Restart the server itself, truncate logs).
  • Conversation history stored in the local SQLite database, plus Mercury rolling memory in MERCURY_MEMORY.md.

None of these are sandboxed. The guardrails are your good judgment, the verbose bar, and the Stop button.

The Stop button is your friend

If Warden is doing something you didn't intend — heading toward a destructive action, calling the wrong tool, looping — hit Stop in the top bar immediately. It kills the in-flight agent run cleanly and preserves the chat history.

You can then ask Warden what it was about to do, redirect it, or start a fresh turn.

The audit is your other friend

The Run audit button (left rail, bottom) sends 100 scenarios through the chat API and logs the results. Run it after major changes — it surfaces regressions in tool use, delegation, code execution, scheduling, and computer control.

If Warden is broken, paste the log into Claude Code (or your console agent runner of choice) to triage and fix.

Clone this wiki locally