Manuel Schipper has released nah, an open-source Python tool that installs as a PreToolUse hook for Claude Code and provides context-aware permission control well beyond the binary allow/deny system built into Anthropic's coding assistant. Rather than maintaining a static deny list, nah uses a deterministic structural classifier — operating in milliseconds with no LLM involvement — to evaluate every tool call across Bash, Read, Write, Edit, Glob, Grep, and MCP tools. The same command can receive different verdicts depending on context: removing a file inside a project boundary is permitted, while targeting ~/.bashrc triggers a block or confirmation prompt. The tool ships with 20 built-in action types and three configurable policies (allow, ask, block), and for cases the deterministic classifier cannot resolve, it can optionally route decisions to a configurable LLM backend including Ollama, OpenRouter, OpenAI, Anthropic, or Snowflake Cortex.
Supply-chain safety shapes the config design: per-project .nah.yaml files can only tighten global policies, never relax them. A malicious repository cannot use its own config to allowlist dangerous commands. The tool also blocks self-modification, preventing Claude Code from editing the hook files nah lives in. Every classification is logged and inspectable via the nah log CLI, with filters for blocked and ask decisions by tool type.
There is, however, a significant architectural caveat that nah's own documentation surfaces explicitly. Claude Code's --dangerously-skip-permissions flag causes PreToolUse hooks to fire asynchronously, meaning a hook's block decision can arrive after the guarded command has already executed — a race condition documented in GitHub issue #20946. This renders hook-based enforcement tools like nah advisory rather than enforceable when that flag is active, and nah's install instructions specifically warn users to avoid it.
The Hacker News discussion around the release surfaced two sharper limitations. First, binwiederhier's sandclaude takes a containerization route, isolating Claude Code in Docker with a limited toolset — the argument being that even a successfully-executed destructive command has a contained blast radius, which hook interception alone cannot guarantee. Second, commenters noted that inlined scripts such as python -c one-liners can be semantically destructive while remaining syntactically opaque to a structural classifier. nah catches what it can parse; it cannot catch what it cannot see.
The practical split is this: nah adds meaningful friction against accidental or low-sophistication destructive commands with near-zero latency overhead, and its supply-chain protections are genuinely useful for teams working across untrusted repos. Containerization via sandclaude is harder to set up but enforces limits at the OS level rather than the hook level — it holds even when the skip-permissions flag is in play. Until Anthropic fixes the async hook execution behavior, users who need hard guarantees rather than best-effort interception should treat nah as a complement to <a href="/news/2026-03-14-nanoclaw-partners-with-docker-for-hypervisor-level-agent-sandboxing">container isolation</a>, not a substitute for it.
nah is available on PyPI and can be installed with pip install nah followed by nah install; the source is published at github.com/manuelschipper/nah.