SaaS Metrics
Show HN: A context-aware permission guard for Claude Code
A safer, more scalable, and context-aware alternative to basic allow-or-deny permission systems for LLM agents, preventing dangerous actions without nuking untracked files or exfiltrating keys.
View Origin LinkProduct Positioning & Context
AI Executive Synthesis
A safer, more scalable, and context-aware alternative to basic allow-or-deny permission systems for LLM agents, preventing dangerous actions without nuking untracked files or exfiltrating keys.
The "nah" project addresses a critical and emerging pain point in the rapidly evolving landscape of AI agent development, specifically concerning the security and control of autonomous LLM-powered tools like Claude Code. As LLMs transition from conversational interfaces to active agents capable of executing code and interacting with system resources, the need for robust, context-aware permission systems becomes paramount. Current approaches, often limited to simple allow-or-deny lists per tool, are proving unscalable and insufficient, leading to a dilemma where developers either risk dangerous actions or severely cripple agent capabilities.
"nah" represents a significant step forward by introducing a "PreToolUse hook" that deterministically classifies agent actions into granular "action types" (e.g., filesystem_read, git_history_rewrite). This allows for the application of sophisticated, context-dependent policies (allow, context, ask, block), moving beyond the "fool's errand" of maintaining static deny lists. Developers care deeply about this because it directly tackles the inherent tension between agent autonomy and system security. It enables them to deploy powerful AI agents with confidence, mitigating risks like data exfiltration or malware installation, while still allowing for necessary operations under controlled conditions.
This tool signifies a broader trend towards "agent safety" and "AI guardrails" as a distinct and crucial layer in the AI development stack. It highlights the market's demand for specialized tooling that bridges the gap between LLM capabilities and enterprise-grade security requirements. The shift from coarse-grained, static permissions to dynamic, context-aware policy enforcement is a key innovation, reflecting a maturing understanding of how to build reliable and trustworthy autonomous systems. "nah" positions itself as an essential component for any organization building or deploying LLM agents, ensuring operational safety without sacrificing the agent's utility.
"nah" represents a significant step forward by introducing a "PreToolUse hook" that deterministically classifies agent actions into granular "action types" (e.g., filesystem_read, git_history_rewrite). This allows for the application of sophisticated, context-dependent policies (allow, context, ask, block), moving beyond the "fool's errand" of maintaining static deny lists. Developers care deeply about this because it directly tackles the inherent tension between agent autonomy and system security. It enables them to deploy powerful AI agents with confidence, mitigating risks like data exfiltration or malware installation, while still allowing for necessary operations under controlled conditions.
This tool signifies a broader trend towards "agent safety" and "AI guardrails" as a distinct and crucial layer in the AI development stack. It highlights the market's demand for specialized tooling that bridges the gap between LLM capabilities and enterprise-grade security requirements. The shift from coarse-grained, static permissions to dynamic, context-aware policy enforcement is a key innovation, reflecting a maturing understanding of how to build reliable and trustworthy autonomous systems. "nah" positions itself as an essential component for any organization building or deploying LLM agents, ensuring operational safety without sacrificing the agent's utility.
We needed something like --dangerously-skip-permissions that doesn’t nuke your untracked files, exfiltrate your keys, or install malware.Claude Code's permission system is allow-or-deny per tool, but that doesn’t really scale. Deleting some files is fine sometimes. And git checkout is sometimes not fine. Even when you curate permissions, 200 IQ Opus can find a way around it. Maintaining a deny list is a fool's errand.nah is a PreToolUse hook that classifies every tool call by what it actually does, using a deterministic classifier that runs in milliseconds. It maps commands to action types like filesystem_read, package_run, db_write, git_history_rewrite, and applies policies: allow, context (depends on the target), ask, or block.Not everything can be classified, so you can optionally escalate ambiguous stuff to an LLM, but that’s not required. Anything unresolved you can approve, and configure the taxonomy so you don’t get asked again.It works out of the box with sane defaults, no config needed. But you can customize it fully if you want to.No dependencies, stdlib Python, MIT.pip install nah && nah installhttps://github.com/manuelschipper/nah
Related Ecosystem & Alternatives
Discover adjacent products, open-source repositories, and developer tools sharing similar technical architecture.
Deep-Dive FAQs
What is A context-aware permission guard for Claude Code?
A context-aware permission guard for Claude Code is analyzed by our AI as: A safer, more scalable, and context-aware alternative to basic allow-or-deny permission systems for LLM agents, preventing dangerous actions without nuking untracked files or exfiltrating keys.. It focuses on The "nah" project addresses a critical and emerging pain point in the rapidly evolving landscape of AI agent development, specifically concerning t...
Where did A context-aware permission guard for Claude Code originate?
Data for A context-aware permission guard for Claude Code was aggregated directly from the Hacker News community ecosystem, representing raw developer and early-adopter sentiment.
When was A context-aware permission guard for Claude Code publicly launched?
The initial public indexing or launch date for A context-aware permission guard for Claude Code within our tracked developer communities was recorded on March 13, 2026.
How popular is A context-aware permission guard for Claude Code?
A context-aware permission guard for Claude Code has achieved measurable traction, logging over 124 traction score and facilitating 90 recorded discussions or engagements.
Which technical categories define A context-aware permission guard for Claude Code?
Based on metadata extraction, A context-aware permission guard for Claude Code is categorized under topics such as: context-aware permission guard, PreToolUse hook, deterministic classifier, allow-or-deny per tool.
What are some commercial alternatives to A context-aware permission guard for Claude Code?
Our semantic intelligence engine identifies potential commercial alternatives in the SaaS space, such as Databerry, which offers overlapping value propositions.
How does the creator describe A context-aware permission guard for Claude Code?
The original author or development team describes the product as follows: "We needed something like --dangerously-skip-permissions that doesn’t nuke your untracked files, exfiltrate your keys, or install malware.Claude Code's permission system is allow-or-deny per tool, b..."
Community Voice & Feedback
The deny list problem is real but I think the harder issue is that context matters so much. Deleting a temp file and deleting a config file look the same to a classifier.We've been approaching it from the policy side, define what the agent is allowed to do upfront and evaluate each action before it runs. Human approval for anything that falls outside the policy. Different tradeoffs but same underlying frustration.
This is not criticism of your project specifically, but a question for all tools in this space: What's stopping your agent from overwriting an arbitrary source file (e.g. index.js) with arbitrary code and running it?A rogue agent doesn't need to run `rm -rf /`, it just needs to include a sneaky `runInShell('rm -rf /')` in ANY of your source code files and get it to run using `npm test`. Both of those actions will be allowed on the vast majority of developer machines without further confirmation. You need to review every line of code changed before the agent is allowed to execute it for this to work and that's clearly not how most people work with agents.I can see value in projects like this to protect against accidental oopsies and making a mess by accident, but I think that marketing tools like this as security tools is irresponsible - you need real isolation using containers or VMs.Here's one more example showing you why blacklisting doesn't work, it doesn't matter how fancy you try to make it because you're fighting a battle that you can't win - there are effectively an infinite number of programs, flags, environment variables and config files that can be combined in a way to execute arbitrary commands: bash> nah test "PAGER='/bin/sh -c \"touch ~/OOPS\"' git help config"
Command: PAGER='/bin/sh -c "touch ~/OOPS"' git help config
Stages:
[1] git help config → git_safe → allow → allow (git_safe → allow)
Decision: ALLOW
Reason: git_safe → allow
Alternatively: bash> nah test "git difftool -y -x 'touch ~/OOPS2' --no-index /etc/hostname /etc/hosts"
Command: git difftool -y -x 'touch ~/OOPS2' --no-index /etc/hostname /etc/hosts
Stages:
[1] git difftool -y -x touch ~/OOPS2 --no-index /etc/hostname /etc/hosts → git_safe → allow → allow (git_safe → allow)
Decision: ALLOW
Reason: git_safe → allow
Command: PAGER='/bin/sh -c "touch ~/OOPS"' git help config
Stages:
[1] git help config → git_safe → allow → allow (git_safe → allow)
Decision: ALLOW
Reason: git_safe → allow
Alternatively: bash> nah test "git difftool -y -x 'touch ~/OOPS2' --no-index /etc/hostname /etc/hosts"
Command: git difftool -y -x 'touch ~/OOPS2' --no-index /etc/hostname /etc/hosts
Stages:
[1] git difftool -y -x touch ~/OOPS2 --no-index /etc/hostname /etc/hosts → git_safe → allow → allow (git_safe → allow)
Decision: ALLOW
Reason: git_safe → allow
Interesting approach to the PreToolUse side. I've been building on the other end — PostToolUse hooks that commit every tool call to an append-only Merkle tree (RFC 6962 transparency log style). The two concerns are complementary: "nah" answers "should this action be allowed?" while a transparency log answers "can we prove what actually happened, after the fact?"
For the adversarial cases people are raising (obfuscated commands, indirect execution) — even if a classifier misses something at pre-execution time, an append-only log with inclusion proofs means the action is still
cryptographically recorded. You can't quietly delete the embarrassing entries later.
The hooks ecosystem is becoming genuinely useful. PreToolUse for policy enforcement, PostToolUse for audit trail, SessionStart/End for lifecycle tracking. Would be great to see these compose — a guard that also commits
its allow/deny decisions to a verifiable log.
For the adversarial cases people are raising (obfuscated commands, indirect execution) — even if a classifier misses something at pre-execution time, an append-only log with inclusion proofs means the action is still
cryptographically recorded. You can't quietly delete the embarrassing entries later.
The hooks ecosystem is becoming genuinely useful. PreToolUse for policy enforcement, PostToolUse for audit trail, SessionStart/End for lifecycle tracking. Would be great to see these compose — a guard that also commits
its allow/deny decisions to a verifiable log.
As binwiederhier mentioned, we're all solving the same problems in different ways. There are now enough AI sandboxing projects (including mine: sandvault and clodpod) that I started a list: https://github.com/webcoyote/awesome-AI-sandbox
It helps but a LLM could still code a destructive command (like inlined python -c scripts) you can't parse by rules and regex, or a gatekeeper LLM be able to understand its implication reliably. My solution is sandbox + git, where the .git folder is write protected in the sandbox as well as any outside files being r/o too.My personal anecdata is that both cases when Claude destroyed work it was data inside the project being worked on, and not matching any of the generic rules. Both could have been prevented by keeping git clean, which I didn't.
How do people install stuff like this? So many tools these days use `npm install` or `pip install`. I certainly have npm and pip installed but they're sandboxed to specific projects using a tool like devbox, nix-devshell, docker or vagrant (in order of age). And they'll be wildly different versions. To be pedantic `pip` is available globally but it throws the sensible `error: externally-managed-environment`I'm sure there's a way to give this tool it's own virtualenv or similar. But there are a lot of those things and I haven't done much Python for 20 years. Which tool should I use?
I love how everyone is trying to solve the same problems, and how different the solutions are.I made this little Dockerfile and script that lets me run Claude in a Docker container. It only has access to the workspace that I'm in, as well as the GitHub and JIRA CLI tool. It can do whatever it wants in the workspace (it's in git and backed up), so I can run it with --dangerously-skip-permissions. It works well for me. I bet there are better ways, and I bet it's not as safe as it could be. I'd love to learn about other ways that people do this.https://github.com/binwiederhier/sandclaude
The deterministic context system is intuitive and well-designed. That said, there's more to consider, particularly around user intent and broader information flow.I created the hooks feature request while building something similar[1] (deterministic rails + LLM-as-a-judge, using runtime "signals," essentially your context). Through implementation, I found the management overhead of policy DSLs (in my case, OPA) was hard to justify over straightforward scripting- and for any enterprise use, a gateway scales better. Unfortunately, there's no true protection against malicious activity; `Bash()` is inherently non-deterministic.For comprehensive protection, a sandbox is what you actually need locally if willing to put in any level of effort. Otherwise, developers just move on without guardrails (which is what I do today).[1] https://github.com/eqtylab/cupcake
The entire permissions system feels like it's ripe for a DSL of some kind. Looking at the context implementation in src/nah/context.py and the way it hardcodes a ton of assumptions makes me think it will just be a maintenance nightmare to account for _all_ possible contexts and known commands. It would be nice to be able to express that __pycache__/ is not an important directory and can be deleted at will without having to encode that specific directory name (not that this projects hardcodes it, it's just an example to get to the point).
FYI, claude code “auto” mode may launch as soon as tomorrow: https://awesomeagents.ai/news/claude-code-auto-mode-research...
Discovery Source
Hacker News Aggregated via automated community intelligence tracking.
Tech Stack Dependencies
No direct open-source NPM package mentions detected in the product documentation.
Media Tractions & Mentions
No mainstream media stories specifically mentioning this product name have been intercepted yet.
Deep Research & Science
No direct peer-reviewed scientific literature matched with this product's architecture.