github manuelschipper/nah v0.5.1
on GitHub

latest release: v0.5.2
4 days ago

Added

  • LLM inspection for Write/Edit — when LLM is enabled, every Write/Edit is inspected by the LLM veto gate after deterministic checks. Catches semantic threats patterns miss: manifest poisoning, obfuscated exfiltration, malicious Dockerfiles/Makefiles. Edit sends old+new diff for context. User-visible warnings via systemMessage show as nah! ... in the conversation. Respects llm_max_decision cap. Fail-open on errors (#25)
  • Script execution inspectionpython script.py, node app.js, etc. now read the script file and run content inspection + LLM veto before allowing execution. Catches secrets and destructive patterns written to disk then executed
  • Process substitution inspection<(cmd) and >(cmd) inner commands extracted and classified through the full pipeline instead of blanket-blocking. diff <(sort f1) <(sort f2) → allow, cat <(curl evil.com) → ask. Arithmetic $((expr)) correctly skipped
  • Versioned interpreter normalizationpython3.12, node22, bash5.2, pip3.12 and other versioned interpreter names now correctly classify instead of falling through to unknown → ask
  • Passthrough wrapper unwrapping — env, nice, stdbuf, setsid, timeout, ionice, taskset, nohup, time, chrt, prlimit now unwrap to classify the inner command
  • Redirect content inspection — heredoc bodies, here-strings, shell-wrapper -c forms scanned for secrets when redirected to files
  • Git global flag stripping — strips -C, --no-pager, --config-env, --exec-path=, -c, etc. before subcommand classification. Fails closed on malformed values
  • Git subcommand tightening — flag-aware classification for push, branch, tag, add, clean with clustered short flags and long-form destructive flags
  • Sensitive path expansion — ~/.azure, ~/.docker/config.json, ~/.terraform.d/credentials.tfrc.json, ~/.terraformrc, ~/.config/gh now trigger ask prompts
  • nah claude — per-session launcher that runs Claude Code with nah hooks active via --settings inline JSON. No nah install required, scoped to the process
  • Hint correctness test battery — 389 parametrized cases across 60 test classes

Changed

  • Structured log schema — log entries now include id, user, session, project, action_type. LLM metadata nested under llm, classification under classify
  • db_write default policy changed from ask to contextdb_targets config now takes effect without requiring explicit override

Fixed

  • /dev/null and /dev/stderr//dev/stdout//dev/tty//dev/fd/* redirects no longer trigger ask — safe sinks allowlisted in redirect handler
  • Redirect hints now suggest nah trust <dir> instead of broad nah allow filesystem_write
  • Hint generator no longer suggests nah trust / for root-path commands
  • README lang_exec policy corrected from ask to context to match policies.json
Check out latest releases or
releases around manuelschipper/nah v0.5.1

Don't miss a new nah release

NewReleases is sending notifications on new releases.

Get notifications