[felix9527]

Interesting approach to the PreToolUse side. I've been building on the other end — PostToolUse hooks that commit every tool call to an append-only Merkle tree (RFC 6962 transparency log style).

  The two concerns are complementary: "nah" answers "should this action be allowed?" while a transparency log answers "can we prove what actually happened, after the fact?"

  For the adversarial cases people are raising (obfuscated commands, indirect execution) — even if a classifier misses something at pre-execution time, an append-only log with inclusion proofs means the action is still
  cryptographically recorded. You can't quietly delete the embarrassing entries later.

  The hooks ecosystem is becoming genuinely useful. PreToolUse for policy enforcement, PostToolUse for audit trail, SessionStart/End for lifecycle tracking. Would be great to see these compose — a guard that also commits
  its allow/deny decisions to a verifiable log.

[schipperai]

Very cool approach! the immutable log file fits well with nah. I'll take it into account for richer audit trail capabilities. Would be curious to see your hook implementation if its public anywhere

[felix9527]

Sure — it's at https://github.com/PunkGo/punkgo-jack

It hooks into PostToolUse, PreToolUse, SessionStart/End, and UserPromptSubmit. Each event gets submitted to a local kernel that appends it to an RFC 6962 Merkle tree. You can then verify any event with an inclusion proof, or check log integrity between two checkpoints with a consistency proof.

The verify command works offline — just needs the checkpoint and tile hashes, no daemon required. There's also a Go implementation in examples/verify-go/ that independently verifies the same proofs, to show it's not tied to one language.

Would be interesting to explore composing nah's classification decisions with a verifiable log — every allow/deny gets a receipt too.

[schipperai]

looks neat! and fits perfectly with nah. I can see enterprises starting to care more about this as more people adopt coding CLIs and prod goes boom more often.

[felix9527]

Exactly. The moment an agent touches prod, "we logged it" isn't enough — you need "here's the cryptographic proof of what happened, and you can verify it without trusting us."

Compliance teams (SOC 2, EU AI Act Article 12) will demand this. The nice part is RFC 6962 is already battle-tested at scale — Certificate Transparency processes billions of entries. Same math, different domain.