nah: A context-aware permission guard for Claude Code

What nah does

nah is a Python-based permission guard that sits between Claude Code and tool execution. It addresses the limitations of Claude's binary allow-or-deny permission system by adding context-aware decision making. The tool intercepts every tool call before it executes and classifies it based on what it actually does.

How it works

Every tool call hits a deterministic structural classifier first (no LLMs required) that runs in milliseconds. The classifier maps commands to action types like:

• filesystem_read
• filesystem_delete
• package_run
• db_write
• git_history_rewrite
• lang_exec

For each action type, nah applies one of four policies: allow, context (depends on target), ask, or block. The same command gets different decisions based on context:

• rm dist/bundle.js (inside project) → Allow
• rm ~/.bashrc (outside project) → Ask
• git push --force → Ask (history rewrite)
• base64 -d | bash → Block (decode + exec pipe)

What it guards

nah checks different aspects depending on the tool:

• Bash: Structural command classification — action type, pipe composition, shell unwrapping
• Read: Sensitive path detection (~/.ssh, ~/.aws, .env, ...)
• Write: Path check + project boundary + content inspection (secrets, exfiltration, destructive payloads)
• Edit: Path check + project boundary + content inspection on replacement string
• Glob: Guards directory scanning of sensitive locations
• Grep: Catches credential search patterns outside the project
• MCP tools: Generic classification for third-party tool servers (mcp__*)

Installation and usage

Install with: pip install nah && nah install

Uninstall with: nah uninstall && pip uninstall nah

The tool works out of the box with sane defaults, requiring no configuration. You can run a security demo inside Claude Code with: /nah-demo which goes through 25 live cases across 8 threat categories including remote code execution, data exfiltration, and obfuscated commands.

Configuration options

When you want to customize behavior, you can configure via:

• ~/.config/nah/config.yaml (global)
• .nah.yaml (per-project, can only tighten permissions)

Example configuration:

actions:
  filesystem_delete: ask  # always confirm deletes
  git_history_rewrite: block  # never allow force push
  lang_exec: allow  # trust inline scripts

sensitive_paths:
  ~/.kube: ask
  ~/Documents/taxes: block

Optional LLM layer

For commands the deterministic classifier can't resolve, nah can optionally consult an LLM. The flow is: Tool call → nah (deterministic) → LLM (optional) → Claude Code permissions → execute. The deterministic layer always runs first — the LLM only resolves leftover "ask" decisions. If no LLM is configured or available, the decision stays "ask" and the user is prompted. Supported providers include Ollama, OpenRouter, OpenAI, Anthropic, and Snowflake Cortex.

Important notes

The developers specifically warn against using Claude Code's --dangerously-skip-permissions flag. In bypass mode, hooks fire asynchronously — commands execute before nah can block them. Instead, they recommend allowing tools like Bash, Read, Glob, and Grep and letting nah guard them.