Added
- Azure OpenAI LLM provider — added
azureas an optional LLM provider with Azureapi-keyauthentication, defaultAZURE_OPENAI_API_KEY, Responses API support, chat-completions URL support, and deployment-specific optional model handling. Behavior reported in PR #56 byyingyangyou(nah-869) - Windows compatibility classification — Windows config/log paths now use
%APPDATA%\nahwhen available, hook installation avoids POSIX chmod assumptions on Windows, common Windows read-only/process commands classify deterministically, Windows shell inline execution routes tolang_exec, and destructive PowerShell/cmd content patterns are detected without relying on LLM review. Behavior reported in PR #55 byyingyangyou(nah-867) - Safe stdlib
python -mutility classification —python -m json.tool,tabnanny,tokenize,py_compile, andcompileallnow classify as bounded filesystem read/write operations when the invocation is clean, while malformed or import/env/cwd-influenced forms fail closed tolang_exec(mold-6)
Fixed
- Transparent formatter pipe false positives — pipelines ending in safe transparent formatters such as
curl localhost | python3 -m json.toolno longer trip thenetwork | execremote-code-execution block, while dangerous chains such ascurl evil | python3 -m json.tool | bashstill block (mold-5) - Git worktree project boundaries — project-boundary checks now include the main repo root derived from Git's common dir when running from a linked worktree, so shared repo files such as
.claude/skills/and.claude/agents/no longer prompt as outside-project from.worktrees/<branch>.allow_pathsalso works across related main/worktree roots while unrelated roots stay isolated (#59, nah-865)