Added
trust_project_configoption — when enabled in global config, per-project.nah.yamlcan loosen policies (actions, sensitive_paths, classify tables). Without it, project config can only tighten (default: false)- Container destructive taxonomy expansion — podman parity (13 commands), docker subresource prune variants (
container/image/volume/network/builder prune), compose (down/rm), buildx (prune/rm), podman-specific (pod prune/rm,machine rm,secret rm). Expands from 7 to 33 entries find -execpayload classification — extracts the command after-exec/-execdir/-ok/-okdirand recursively classifies it instead of blanketfilesystem_delete.find -exec grep→filesystem_read,find -exec rm→filesystem_delete. Falls back tofilesystem_deleteif payload is empty or unknown (fail-closed)- Stricter project classify overrides — Phase 3 of
classify_tokensnow evaluates project and builtin tables independently and picks the stricter result. Projects can tighten classifications but not weaken them (unlesstrust_project_configis enabled) - Beads-specific action types —
beads_safe(allow),beads_write(allow),beads_destructive(ask) replace generic db_read/db_write classification forbdcommands. Includes prefix-leak guards for flag-dependent mutations (nah-1op) sensitive_paths: allowpolicy — removes hardcoded sensitive path entries entirely, giving users full control to desensitize paths like~/.ssh(nah-9lw)
Fixed
- Global-install flag detection now handles
=-joined forms (--target=/path,--global=true,--system=,--root=) and pip/pip3 short-tflag — previously only space-separated forms were caught, allowingpip install --target=/tmp flaskto bypass the global-install escalation - Bash token scanner now respects
allow_pathsexemption — previously only file tools (Read/Write/Edit) checkedallow_paths, so SSH commands with-i ~/.ssh/keystill prompted even when the path was exempted for the current project (nah-jwk)