Introduction

The goal is simple: agents should be able to do useful work without receiving unrestricted access to every secret in a project.

Ward has two intentionally different workflows:

- Human mode: broad local access for a trusted developer terminal.

- Agent mode: explicit, scoped, approval-gated access for AI agents.

In human mode, Ward preserves the normal developer workflow. You activate ward human, then normal commands such as pnpm dev or cargo run are routed through Ward in that terminal while the session is active.

In agent mode, Ward stays passive. Agents must identify themselves, declare the command they want to run, provide git/worktree context, and request only the env names needed for that command. The broker approves, denies, or asks the human.

Ward is useful when:

- You use AI coding agents locally.

- Your project needs .env secrets for development.

- You want audit logs for secret-backed commands.

- You want agents to request scoped access instead of reading .env files.

- You want a dashboard that shows requests, approvals, executions, sessions,

projects, and logs.

Ward does not try to be a full operating-system sandbox. If a malicious process already has unrestricted same-user access to your machine, Ward cannot provide complete isolation from that local compromise. Ward's protection boundary is the secret workflow: it prevents ordinary agent runs and raw broker protocol calls from bypassing policy, approval, identity, and audit controls.