-
Notifications
You must be signed in to change notification settings - Fork 3
Safety
Warden has full filesystem, network, email, and scheduling powers on the machine it runs on. It can do a lot — including damage. This page is the short list of rules that keep you from getting burned.
- Don't run as admin. Warden has full permissions by design. Running it as admin multiplies the blast radius — a typo in a tool call can brick the OS. Use a normal user account.
- No write access to important things. Email, prod repos, SSH keys, password managers, financial accounts. If you wouldn't hand a stranger the password, don't hand Warden write access.
- Make backups first. Before letting Warden touch anything you care about, snapshot it. Copy the project directory, save a tarball, or use a real backup tool. Reversible is the goal.
- Not your only/work computer. If Warden wedges the machine, you need a second one to recover from. Run it on a box you can afford to lose for a day.
- Watch the verbose bar. It shows what Warden is doing right now. If it's calling tools you didn't expect, hit Stop — don't wait to see what happens.
-
Read BLOCKED messages. When a tool fails, Warden says
BLOCKEDwith the reason. Read it before retrying. Blind retries compound failures.
Warden has direct access to:
- The filesystem (read and write — anywhere the user account can).
- The shell (arbitrary commands, including destructive ones).
- The network (Atlas opens URLs, fetches pages).
- Email (if Iris is configured — read, search, draft, send).
- The scheduler (Dexter can create cron tasks that run later).
- System processes (Stop/Restart the server itself, truncate logs).
- Conversation history stored in the local SQLite database, plus Mercury rolling memory in
MERCURY_MEMORY.md.
None of these are sandboxed. The guardrails are your good judgment, the verbose bar, and the Stop button.
If Warden is doing something you didn't intend — heading toward a destructive action, calling the wrong tool, looping — hit Stop in the top bar immediately. It kills the in-flight agent run cleanly and preserves the chat history.
You can then ask Warden what it was about to do, redirect it, or start a fresh turn.
The Run audit button (left rail, bottom) sends 100 scenarios through the chat API and logs the results. Run it after major changes — it surfaces regressions in tool use, delegation, code execution, scheduling, and computer control.
If Warden is broken, paste the log into Claude Code (or your console agent runner of choice) to triage and fix.