Initial release.
Added
- PreToolUse hook guarding all 6 Claude Code tools (Bash, Read, Write, Edit, Glob, Grep) plus MCP tools — sensitive path protection, hook self-protection, project boundary enforcement, content inspection for secrets and destructive payloads
- 20-action taxonomy with deterministic structural classification — commands classified by action type (not name), pipe composition rules detect exfiltration and RCE patterns, shell unwrapping prevents bypass via
bash -c,eval, here-strings - Flag-dependent classifiers for context-sensitive commands — git (12 dual-behavior commands), curl/wget/httpie (method detection), sed/tar (mode detection), awk (code execution detection), find, global install escalation
- Optional LLM layer for ambiguous decisions — Ollama, OpenRouter, OpenAI, Anthropic, and Snowflake Cortex providers with automatic cascade, three-way decisions (allow/block/uncertain), conversation context from Claude Code transcripts, configurable eligibility and max decision cap
- YAML config system — global (
~/.config/nah/config.yaml) + per-project (.nah.yaml) with tighten-only merge for supply-chain safety - CLI —
nah install/uninstall/update,nah testfor dry-run classification,nah types/log/config/status, rule management vianah allow/deny/classify/trust/forget - JSONL decision logging with content redaction, verbosity filtering, 5MB rotation
- Context-aware path resolution — same command gets different decisions based on project boundary, sensitive directories, trusted paths
- Fail-closed error handling — internal errors block instead of silently allowing
- MCP tool support — generic
mcp__*classification with supply-chain safety