Manuel Schipper's nah isn't the first attempt to add guardrails to Claude Code, but it's one of the few that treats the permission problem as a classification problem rather than a toggle problem. The basic observation is obvious once stated: Claude Code's built-in allow/deny settings don't distinguish between `rm dist/bundle.js` and `rm ~/.bashrc`. They're both `rm`. Whether that distinction matters depends on how much you trust the agent — and, increasingly, how much you trust the repositories the agent is working in.
nah installs as a PreToolUse hook and intercepts every tool call before execution. The classifier is deterministic — no LLM in the default path — mapping commands to a 20-type taxonomy that includes categories like `filesystem_delete`, `git_history_rewrite`, and `obfuscated`. Each type carries a default policy: allow, ask, block, or context, where context means the tool examines where a file lives or what a Write operation's content contains before deciding. Most decisions resolve in milliseconds. For cases the classifier cannot resolve on its own, nah can escalate to an LLM backend — Anthropic, OpenAI, Ollama, OpenRouter, or Snowflake Cortex — but that's opt-in, not the default.
The supply-chain design is worth understanding carefully. A global config at `~/.config/nah/config.yaml` sets the baseline; per-project `.nah.yaml` files can only tighten policies, never loosen them. A repository cannot use its own nah config to grant itself permissions the user hasn't already allowed globally. That's a meaningful constraint given how much agentic coding work happens in unfamiliar codebases — cloned repos, CI-pulled dependencies, client projects with their own tooling. Whether it's sufficient is a different question: nah doesn't sandbox network access, and it doesn't verify what an LLM escalation backend does with the command context it receives.
Schipper documents one concrete limitation teams should factor in before deploying: Claude Code's `--dangerously-skip-permissions` flag causes PreToolUse hooks to fire asynchronously (GitHub issue #20946), meaning nah cannot block commands before they execute when that flag is active. This is a Claude Code bug, not a nah design decision, but the consequence is real — `--dangerously-skip-permissions` is common in CI and automated pipeline configurations, exactly the environments where unblocked shell commands are most consequential.
Compared to Claude Code's native permission hooks or policy-as-code tools like Open Policy Agent, nah occupies a narrower, more opinionated space: it's tuned specifically for the threat model of an AI coding agent running shell commands on a developer machine. That focus makes it practical to install and reason about. It also means it isn't a general solution to the harder problem of auditing what an LLM-powered agent does across a session over time. The built-in decision log helps, but nah is a guard at the gate, not a ledger.
Installation is two commands. The project ships a 25-case security demo that exercises the classifier across edge cases — a reasonable way to build confidence in how policies actually behave before putting them in front of production workflows.