Fixed
- Conservative kubectl read classification with global flag support —
kubectl -n <ns> logs ...,kubectl --namespace=<ns> get pods, and other known low-risk Kubernetes inspection commands now classify ascontainer_readinstead of falling through tounknown. The classifier strips recognized kubectl global flags before matching subcommands, while malformed flags, mutations, exec/copy/port-forward paths, detailed object dumps (-o yaml/json), secrets, configmaps, service accounts, and custom resources remain on theunknownask path. Tracks #67, superseding the broad prefix-table approach from #51 and the global-flag stripping branch #68. - Explicit-delimiter
misewrappers preserve payload classification —mise exec -- <cmd>,mise x -- <cmd>, andmise watch -- <cmd>now classify and resolve context from the command after--, so safe Git/GitHub CLI reads allow, script and inline-code inspection use the inner payload, and unknown tools launched throughmisestill ask. Redirected literal content is inspected through the wrapper while preserving the outer redirect target guard. (nah-878) - GitHub CLI API reads no longer look like script execution —
gh api ...now uses a full-profile flag classifier instead of the genericlang_exectable entry, so read-only API calls such asgh api repos/owner/repo/contributors --jq lengthclassify asgit_safeand no longer ask withscript not found: .../api. POST-like methods, request bodies, implicit POST field flags, typed--field key=@filepayloads, and--inputstay on the existingnetwork_writeask path, whilegh extension execremainslang_exec. (nah-32c) - Direct script arguments no longer resolve as script paths —
nahnow treatstokens[0]as the inspected script for direct script invocations such as./bin/release.sh 2.0.0 prerelease --label rc, instead of scanning positional arguments and asking onscript not found: <project>/2.0.0. Missing direct scripts still fail closed, but the prompt now names the missing script rather than the first argument. Reported in #70; PR behavior integrated from #72 by @srgvg. (nah-877) - Windows hook shim and update compatibility — the generated
nah_guard.pyshim now includes an explicit UTF-8 source cookie and treats old non-UTF-8 hook files as stale during update, rewriting them safely instead of crashing while checking for identical content.nah updatenow handles both current string-style Claude hook matchers and legacy object-style{"tool_name": [...]}matchers, preserves object-style entries when present, and creates a missinghooks.PreToolUselist before adding new tool matchers. Reported in #58 by @zacbrown.