wardn 0.3.0

Credential isolation proxy — agents never see real API keys
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120

pub mod migrate_cmd;
pub mod serve_cmd;
pub mod vault_cmd;

use std::path::PathBuf;

use clap::{Parser, Subcommand, ValueEnum};

#[derive(Parser)]
#[command(
    name = "wardn",
    about = "Credential isolation for AI agents",
    version,
    propagate_version = true
)]
pub struct Cli {
    /// Path to the vault file
    #[arg(long, global = true, default_value = "~/.vibeguard/vault.enc")]
    pub vault: String,

    /// Path to the wardn config file (TOML)
    #[arg(long, global = true)]
    pub config: Option<PathBuf>,

    #[command(subcommand)]
    pub command: Commands,
}

#[derive(Subcommand)]
pub enum Commands {
    /// Manage the encrypted credential vault
    Vault {
        #[command(subcommand)]
        command: VaultCommands,
    },

    /// Start the wardn proxy server
    Serve(ServeArgs),

    /// Scan for exposed credentials and migrate them
    Migrate(MigrateArgs),
}

#[derive(Subcommand)]
pub enum VaultCommands {
    /// Create a new encrypted vault
    Create,

    /// Store a credential in the vault
    Set {
        /// Credential name (e.g. OPENAI_KEY)
        key: String,
    },

    /// Get the placeholder token for a credential (never the real value)
    Get {
        /// Credential name
        key: String,

        /// Agent identity for the placeholder
        #[arg(long, default_value = "cli")]
        agent: String,
    },

    /// List all stored credentials (names only, no values)
    List,

    /// Rotate a credential value (placeholder stays the same)
    Rotate {
        /// Credential name to rotate
        key: String,
    },

    /// Remove a credential from the vault
    Remove {
        /// Credential name to remove
        key: String,
    },
}

#[derive(Parser)]
pub struct ServeArgs {
    /// Host to bind to
    #[arg(long, default_value = "127.0.0.1")]
    pub host: String,

    /// Port to listen on
    #[arg(long, default_value_t = 7777)]
    pub port: u16,

    /// Also start the MCP server over stdio
    #[arg(long)]
    pub mcp: bool,

    /// Agent identity for MCP server (required with --mcp)
    #[arg(long)]
    pub agent: Option<String>,
}

#[derive(Parser)]
pub struct MigrateArgs {
    /// Source system to scan
    #[arg(long, value_enum, default_value = "claude-code")]
    pub source: MigrateSourceArg,

    /// Directory to scan (for --source directory)
    #[arg(long)]
    pub path: Option<PathBuf>,

    /// Audit only — don't migrate credentials
    #[arg(long)]
    pub dry_run: bool,
}

#[derive(Clone, ValueEnum)]
pub enum MigrateSourceArg {
    ClaudeCode,
    OpenClaw,
    Directory,
}