HN
Today

Show HN: A context-aware permission guard for Claude Code

This Show HN introduces 'nah', a sophisticated, context-aware permission guard designed for Claude Code, addressing the limitations of its basic allow-or-deny system. It prevents AI from performing dangerous actions by classifying tool calls and enforcing granular policies without always needing an LLM. This project resonates with the HN community by tackling a critical AI safety and control problem with an elegant, technical solution.

12
Score
6
Comments
#5
Highest Rank
11h
on Front Page
First Seen
Mar 12, 12:00 AM
Last Seen
Mar 12, 10:00 AM
Rank Over Time
85131010101112121527

The Lowdown

The project 'nah' is a pre-tool-use hook for Claude Code that acts as a robust, context-aware permission system. It aims to solve the problem of AI agents circumventing simple allow/deny permissions or misusing the --dangerously-skip-permissions flag, which can lead to unintended file deletion, key exfiltration, or malware installation.

  • The Problem: Claude Code's native permission system is too simplistic (tool-level allow/deny) and easily bypassed by intelligent LLMs. The existing 'skip permissions' option is unsafe, as hooks fire asynchronously, allowing commands to execute before being blocked.
  • How it Works: nah intercepts every tool call (e.g., Bash, Read, Write) before execution. It uses a deterministic, structural classifier to categorize actions (e.g., filesystem_read, git_history_rewrite) in milliseconds.
  • Context-Aware Decisions: nah applies policies (allow, context, ask, block) based on the classified action and its context. For example, rm dist/bundle.js might be allowed, while rm ~/.bashrc would prompt for confirmation ('nah?').
  • Optional LLM Layer: For ambiguous commands the deterministic classifier can't resolve, nah can optionally consult an LLM (supporting various providers), but the deterministic layer always runs first.
  • Configurability & Safety: It works out-of-the-box with sane defaults but is highly configurable via YAML files for action types, sensitive paths, and custom classifications. Crucially, project-specific .nah.yaml files can only tighten policies, not relax them, ensuring supply-chain safety against malicious repositories.
  • CLI & Demo: nah provides a command-line interface for installation, configuration, testing (e.g., `nah test

The Gossip

Dangerously Skipping Permissions: A Conundrum

Users expressed initial confusion regarding the project's warning not to use `--dangerously-skip-permissions` after stating it was a motivation for `nah`. The author clarifies that using this flag bypasses all hooks, including `nah`, making it inherently unsafe, thus reinforcing the need for `nah` as a true, safe alternative.

Creative Classifiers & Comparative Creations

The discussion included other developers sharing similar projects they'd built, often using more naive text matching. The author engaged, noting his initial skepticism about solving the problem without an LLM, but affirming that pattern matching proved surprisingly effective in preventing many potential catastrophes.

Future of Claude Code and `nah`'s Niche

Commenters brought up Claude Code's impending 'auto' mode and questioned how `nah` would fit into this future. The author suggested `nah` could be complementary or an alternative for users seeking more granular control or concerned about the latency and cost associated with LLM-driven 'auto' modes.