Added
- LLM credential scrubbing — secrets (private keys, AWS keys, GitHub tokens,
sk-keys, hardcoded API keys) are now redacted from transcript context and Write/Edit/MultiEdit/NotebookEdit content before sending to LLM providers. Reusescontent.pysecret patterns (nah-pfd) - MultiEdit + NotebookEdit tool guard — both tools now get the same protection as Write/Edit: path checks, boundary enforcement, hook self-protection (hard block), content inspection, and LLM veto gate. Closes bypass where these tools had zero guards.
nah updatenow adds missing tool matchers on upgrade (nah-06p) - Symlink regression tests — 8 test cases confirming
realpath()resolution catches symlinks to sensitive targets across all tools: direct, chained, relative, broken, and allow_paths interaction (#57) /tmptrusted by default —/tmpand/private/tmpare now default trusted paths forprofile: full. Writes to/tmpno longer prompt. Standard scratch space with no security value (nah-f08)- Hook directory reads allowed — reading
~/.claude/hooks/no longer prompts for any tool. Write/Edit still hard-blocked for self-protection. Reduces friction when inspecting installed hooks (#44, nah-arn) /etc/shadowadded to sensitive paths asblock(#54)
Fixed
- LLM response parser hardened — removed
find("{")/rfind("}")fallback in_parse_responsethat allowed echo attacks where injected JSON in transcript/file content could be extracted as the real decision. Now only accepts clean JSON or markdown-fenced JSON; prose-wrapped responses fail-safe to human review (nah-pfd) nah updatenow adds missing tool matchers on upgrade (previously only patched the hook command path — new tools were invisible untilnah install)- LLM metadata (provider, model, latency, reasoning) now always logged for Write/Edit/NotebookEdit, even when LLM agrees with the deterministic decision