manuelschipper / nah

Safeguard your vibes. Keep your flow state. Docs • Install • What it guards • How it works • Configure • CLI --- The problem Claude Code’s permission system is allow-or-deny per tool, but that doesn’t really scale. Deleting some files is fine sometimes. And git checkout is sometimes catastrophic. Even when you curate permissions, 200 IQ Opus can find a way around it. Maintaining a deny list is a fool’s errand. We needed something like --dangerously-skip-permissions that doesn’t nuke your untracked files, exfiltrate your keys, or install malware. classifies every tool call by what it actually does using contextual rules that run in milliseconds. For the ambiguous stuff, optionally route to an LLM. Every decision is logged and inspectable. Works out of the box, configure it how you want it. — Sure. — **nah?** — Ok, cleaning up. — **nah.** **Read** — Go ahead. **Read** — **nah.** **Write** — Fine. **Write** with — **nah.** Install Once installed, nah handles permissions for everything Claude Code does in your file system. Safe operations go through automatically, dangerous ones are blocked, ambiguous ones ask. **Don't use ** — just run in default mode. In mode, hooks fire asynchronously and commands execute before nah can block them. By default nah actively allows safe operations for all guarded tools. To keep nah's protection on some tools but let others fall back to Claude Code's built-in prompts, set to a list: Valid tool names: , , , , , . See configuration docs. To uninstall: . Try it out Clone the repo and run the security demo inside Claude Code: 25 live cases across 8 threat categories: remote code execution, data exfiltration, obfuscated commands, and others. Takes ~5 minutes. What it guards nah is a PreToolUse hook that intercepts **every** tool call before it executes: | Tool | What nah checks | |------|----------------| | **Bash** | Structural command classification — action type, pipe composition, shell unwrapping | | **Read** | Sensitive path detection ( , , , ...) | | **Write** | Path check + project boundary + content inspection (secrets, exfiltration, destructive payloads) | | **Edit** | Path check + project boundary + content inspection on the replacement string | | **Glob** | Guards directory scanning of sensitive locations | | **Grep** | Catches credential search patterns outside the project | | **MCP tools** | Generic classification for third-party tool servers ( ) | How it works Every tool call hits a deterministic structural classifier first, no LLMs involved. ** ** = blocked. ** ** = asks for your confirmation. Everything else goes through. Context-aware The same command gets different decisions based on context: | Command | Context | Decision | |---------|---------|----------| | | Inside project | Allow | | | Outside project | Ask | | | History rewrite | Ask | | | Decode + exec pipe | Block | Optional LLM layer For commands the classifier can't resolve, nah can optionally consult an LLM: The deterministic layer always runs first — the LLM only resolves leftover "ask" decisions. If no LLM is configured or available, the decision stays "ask" and the user is prompted. Supported providers: Ollama, OpenRouter, OpenAI, Anthropic, Snowflake Cortex. Configure Works out of the box with zero config. When you want to tune it: nah classifies commands by **action type**, not by command name. Run to see all 23 built-in action types with their default policies. Action types Every command maps to an action type, and every action type has a default policy: | Policy | Meaning | Example types | |--------|---------|---------------| | | Always permit | , , | | | Check path/project context, then decide | , , | | | Always prompt the user | , , | | | Always reject | | Taxonomy profiles Choose how much built-in classification to start with: • **full** (default) — comprehensive coverage across shell, git, packages, containers, and more • **minimal** — curated essentials only (rm, git, curl, kill, ...) • **none** — blank slate — make your own LLM configuration Supply-chain safety Project can **add** classifications and **tighten** policies, but can never relax them. A malicious repo can't use to allowlist dangerous commands — only your global config has that power. CLI Core Test & inspect Manage rules Adjust policies from the command line: License MIT --- --dangerously-skip-permissions?