manuelschipper/nah v0.9.0

on GitHub

Added

• Guarded Codex headless exec — nah run codex exec and nah run codex e
  now guard local headless Codex runs with deterministic PreToolUse
  enforcement, block unresolved asks by default, disable unsupported headless
  tool surfaces, and log headless fallback/sandbox metadata. (nah-936)
• First-class Nix packaging — added default.nix, a flake, and Nix CI so
  users can install the full nah CLI with YAML config and OS keyring support
  through nix profile add github:manuelschipper/nah. Nix and
  pip install "nah[config,keys]" are now peer recommended CLI install paths;
  the Claude plugin remains a separate Claude-only distribution. Inspired by
  PR #82 from ryanswrt. (nah-937)
• Trusted container exec unwrapping — opt-in trusted_containers config can
  make docker exec, docker container exec, and simple
  docker compose exec transparent for narrow read-like payloads inside exact
  trusted identities, while writes, package scripts, network/database/container
  actions, unknown tools, credential-marker payloads, and unsupported Docker
  flags still ask or block. (nah-924)
• Codex authority prompt routing — nah run codex now launches Codex with
  approval_policy="untrusted" and installs a nah-managed
  $CODEX_HOME/rules/nah-authority.rules file so Codex-known-safe command
  prefixes such as cat, git, rg, and shell wrappers still route through
  nah's PermissionRequest classifier before execution. nah codex setup
  creates or refreshes this authority file, nah codex doctor inspects
  approval-memory/MCP drift, and nah codex remove-setup removes only the
  nah-managed setup files. (nah-923)
• Codex confirm-edits mode — safe project-local apply_patch add/update
  edits now allow by default after nah path and content checks, while
  nah run codex --confirm-edits keeps those safe edits on Codex's native
  approval path for users who want edit confirmations.
• Lang-exec LLM review for heredoc scripts — LLM script-veto prompts now
  include the full inspected heredoc body for interpreter commands such as
  python3 <<'PY', and the review policy now allows plainly read-only local
  inspection scripts instead of escalating solely for ordinary config/log/state
  reads.
• Codex PreToolUse observation for taint tracking — nah run codex now
  injects Codex PreToolUse, PermissionRequest, and PostToolUse hooks via
  the canonical features.hooks flag. PreToolUse observes routine Bash, MCP,
  and apply_patch calls without LLM review so taint source reads can be
  tracked before execution, while PermissionRequest remains the enforcement
  hook and PostToolUse confirms execution outcomes. (nah-921)
• Runtime-neutral session taint tracking — opt-in taint mode now tracks
  successful sensitive reads across Claude, Codex, and terminal guard sessions,
  propagates labels to local writes/repo state, and can audit or enforce
  activation/boundary policies without weakening existing nah decisions.
  Defaults remain off; terminal guard taint support is audit-only in v1.
  (nah-919)
• Session provenance guard — opt-in provenance mode now tracks
  successful writes from guarded Claude/Codex runs and can pause later
  activation or boundary actions when they operate over session-written files
  or repo state. context policies build a bounded session-delta packet for
  LLM review; incomplete packets or uncertain reviews remain asks. (nah-929)
• Runtime execution outcome logging — nah now records append-only
  runtime and execution metadata for Claude, Codex, and terminal guard
  decisions so audit logs can distinguish a pre-execution permission decision
  from an observed tool outcome. Claude PostToolUse/PostToolUseFailure and
  Codex PostToolUse hooks log successful or failed execution without changing
  permission policy, while terminal prompts report denied or approved-to-run
  states without claiming process completion. (nah-920)
• Non-Git project config with exact-root trust — nah now loads
  ./.nah.yaml from the current directory outside Git while keeping Git-root
  config precedence inside repositories. Project config remains tighten-only by
  default; nah trust-project / nah untrust-project manage exact project
  roots whose config may loosen policy and activate project classify rules.
  (nah-918)

Fixed

• Agent hook executable transport — Claude direct hooks and Codex hook
  overrides now call the installed nah executable instead of a raw Python
  interpreter plus import path. This fixes Nix and wrapper-based installs where
  the package is importable through the nah executable but not through the
  bare interpreter. nah update claude migrates old direct-hook settings even
  when the old shim file is missing. Reported in #83
  by ryanswrt. (nah-943)

Changed

• Session provenance outside-project identity — session-written files
  outside the current project boundary now stay direct-path-only in provenance
  state instead of being aggregated under the current repo; exact path
  activation can still trigger provenance review, but base outside-project
  asks/blocks keep their authority. (nah-939)
• Decision prompts no longer include auto-allow hints — ask/block output no
  longer appends remediation suggestions such as nah trust, nah allow,
  nah allow-path, or nah classify, because misleading shortcuts can loosen
  policy in the wrong place. Friendly safety reasons and diagnostic metadata
  remain. (nah-935)
• Taint boundary sinks — taint tracking now treats network diagnostics,
  database reads, browser interaction/navigation/exec, container actions, git
  history rewrites, remote agent execution, and agent servers as boundary sinks
  by default. Users can tune category membership with
  taint.categories.*.add/remove.

Fixed

• Bazel test label classification — local bazel test and
  bazelisk test target labels now classify as package_run, so valid
  Bazel labels such as //pkg:target no longer pause as unknown commands
  or get mistaken for filesystem paths. (#62)
• jq read-only classification — jq now classifies as
  filesystem_read, so JSON inspection pipelines such as
  ... --json | jq '.metadata' no longer pause as unknown commands while
  sensitive-path reads still stay guarded.
• Codex setup command surface — nah codex setup now backs up and fixes
  supported Codex approval-memory/MCP drift, so the separate pre-v1
  nah codex repair command has been removed. (nah-925)
• YAML llm.mode: on/off parsing — PyYAML parses unquoted on and off
  as booleans, so nah now accepts boolean true/false anywhere it reads LLM
  mode, including target overrides and inline --config overrides.
• Codex lifecycle guidance — bare nah install, nah update, and
  nah uninstall now explain that Codex is session-scoped through
  nah run codex, and nah update codex reports that there is no persistent
  Codex update target.