Claude Code's built-in permission system works on a simple model: allow or deny each tool. That means rm dist/bundle.js (cleaning up build output) gets the same treatment as rm ~/.bashrc (deleting your shell config). A new open-source tool called "nah" replaces this with context-aware classification that evaluates what a command actually does before deciding whether to let it through.
How It Works
nah runs as a PreToolUse hook, meaning it intercepts every tool call before Claude Code executes it. Instead of per-tool allow/deny rules, it uses a deterministic classifier that analyzes command structure, file paths, and context to sort actions into categories like filesystem_read (always allowed), filesystem_delete (evaluated by context), or git_history_rewrite (always ask).
Some examples of how context changes the decision:
git pushpasses automatically, butgit push --forcetriggers a confirmation prompt- Reading project files is fine, but reading
~/.ssh/id_rsagets blocked - Writing code inside your project directory is allowed, but writing outside it requires approval
- Obfuscated commands (like base64-encoded payloads piped to bash) are blocked outright
The tool monitors Bash, Read, Write, Edit, Glob, Grep, and MCP tools. It also inspects file content being written, catching attempts to inject secrets, API tokens, or exfiltration payloads.
Configuration and Safety Model
Installation is straightforward: pip install nah && nah install. Configuration lives in ~/.config/nah/config.yaml for global rules and .nah.yaml for per-project overrides.
The security model has a smart constraint: project-level config files can only tighten permissions, never relax them. This prevents a malicious repository from shipping a .nah.yaml that allowlists dangerous commands. Only your user-level config can grant broader access.
For ambiguous cases, nah optionally consults an LLM (supporting Ollama, OpenRouter, OpenAI, Anthropic, and Snowflake Cortex) to help classify edge cases. The LLM can only resolve "ask" decisions, never override blocks.
You can dry-run classifications with nah test "rm -rf /" to see how any command would be handled, and nah log shows recent decisions with filtering by blocks, asks, or specific tools.
Who Should Use This
If you run Claude Code with --dangerously-skip-permissions because the constant approval prompts slow you down, nah is a better option. It lets safe operations flow through automatically while catching the commands that actually warrant attention. The tool is MIT-licensed and available on PyPI.