Manuel Schipper Ships 'nah' Context Guard for Claude Code
Open-source developer Manuel Schipper has launched 'nah,' a PreToolUse hook for Claude Code that performs real-time, context-aware classification of tool calls to enhance security. The tool aims to replace brittle allow/deny lists with intelligent analysis, preventing dangerous file operations and credential exposure without disabling functionality.
AI coding assistants like Claude Code operate with blunt, binary permissions systems, leaving developer files and credentials vulnerable to unintended or cleverly engineered tool calls. Independent developer Manuel Schipper has released 'nah,' an open-source, context-aware permission guard that analyzes every tool request in real-time, introducing a critical layer of intelligent security for AI-assisted development.
The tool directly addresses a growing pain point: Claude's current 'allow-or-deny' per-tool model fails to account for the context of an action. 'nah' intercepts each call, classifying it by intent and target before execution, aiming to prevent the deletion of untracked files, the exfiltration of keys, or the installation of malware that a highly capable model might inadvertently or deliberately initiate.
The tool directly addresses a growing pain point: Claude's current 'allow-or-deny' per-tool model fails to account for the context of an action. 'nah' intercepts each call, classifying it by intent and target before execution, aiming to prevent the deletion of untracked files, the exfiltration of keys, or the installation of malware that a highly capable model might inadvertently or deliberately initiate.
The core innovation of 'nah' is its position as a PreToolUse hook within the Claude Code environment. Instead of relying on static, tool-level permissions that users must configure in advance, 'nah' analyzes each individual tool call as it is generated by the AI. It classifies the call based on what the tool is attempting to do and what system resources it targets, making a contextual allow/deny decision before any code executes on the user's machine.
What Happened: From Binary to Contextual Security
Manuel Schipper published 'nah' to GitHub on March 11, 2026, framing it as a necessary evolution from Claude's native permission system. The project's documentation highlights the inherent scalability problem of per-tool permissions: deleting files is sometimes a legitimate part of a cleanup task, but disastrous if targeting untracked work. Similarly, a git checkout command is usually safe but can become destructive in specific branches or states.
Schipper argues that maintaining a deny list for specific commands is a "fool's errand" against a model as capable as Claude 3 Opus, which can often find alternative pathways to achieve a blocked goal. 'nah' shifts the paradigm from blocking tools to evaluating actions, seeking to understand the intent and potential impact of each discrete operation the AI proposes.
Why This Matters for AI-Assisted Development
The release speaks to a maturing phase in the adoption of AI coding assistants. As these tools move from experimental curiosities to integrated parts of the developer workflow, their security and safety models require equal sophistication. A binary permission system may suffice for limited, sandboxed tasks but becomes a significant liability when an AI has broad access to a live codebase, terminal, and file system.
'nah' addresses the principal-agent risk between a developer and a powerful AI. The developer delegates coding tasks but may lack full visibility into the sequence of low-level system calls the AI will use to accomplish them. By inserting a reasoning layer that evaluates these calls, 'nah' acts as a guardrail, potentially preventing catastrophic errors or mitigating prompt injection attacks that trick the AI into performing harmful actions. This is crucial for enterprise adoption, where liability and code integrity are non-negotiable.
The People and Competitive Context
Manuel Schipper operates as an independent developer, and 'nah' is presented as an open-source utility, not a commercial product. This positions it as a community-driven solution to a gap left by larger providers. Anthropic, the creator of Claude, has built its reputation on a focus on AI safety and constitutional principles. However, the safety mechanisms for its Claude Code interpreter have remained relatively basic, focusing on user consent for tool categories.
'nah' enters a small but growing niche of tools designed to manage and secure AI agent interactions. It contrasts with approaches that seek to sandbox the entire AI environment or those that rely solely on pre-execution user prompts for approval. Its context-aware classification system suggests a path forward where the security layer itself uses some form of reasoning—potentially leveraging a small, fast model—to make granular decisions, a middle ground between full autonomy and constant interruption.
What Happens Next
The immediate test for 'nah' will be its adoption and refinement by the developer community. Key questions remain about its classification accuracy, performance overhead, and resilience against adversarial prompts designed to bypass its logic. The project's success will depend on its rule set's ability to generalize across diverse coding tasks without creating excessive false positives that hinder developer productivity.
Anthropic and other AI labs providing code assistants will be watching. A successful open-source model like 'nah' could pressure these companies to build more sophisticated, context-aware permission systems directly into their products. The longer-term trajectory points toward AI assistants that can explain not just their high-level plans, but the safety implications of their proposed low-level actions, with guardrails that are intelligent, configurable, and transparent.
Source and attribution
Hacker News
Show HN: A context-aware permission guard for Claude Code
Discussion
Add a comment