Interactive Builder

Build your govern.json

Configure 139 governance checks, per-language rules, and 3-tier enforcement. Toggle options below — only non-default values are included.

Start Building
$ echo '{"version":"5.0","mode":"enforce"}' > govern.json
139
Scanner Checks
3-tier
Enforcement
40+
Config Sections
12
Languages Governed
Project Starter Kit

Start a new NAAb project

Every NAAb project needs two files: govern.json for runtime enforcement and CLAUDE.md for LLM code generation. Download both to your project root.

govern.json

Complete governance template with all 139 checks, per-language rules, and 3-tier enforcement. Customize to your project needs.
Download Template Use Builder

CLAUDE.md Template

Universal NAAb language reference for LLMs. Syntax rules, stdlib API, polyglot patterns, and 60 known gotchas. Download and rename to CLAUDE.md in your project.
Download CLAUDE.md View on GitHub
Quick Setup
mkdir my-project && cd my-project
curl -o CLAUDE.md https://raw.githubusercontent.com/b-macker/NAAb/master/CLAUDE-TEMPLATE.md
curl -O https://raw.githubusercontent.com/b-macker/NAAb/master/govern-template.json
mv govern-template.json govern.json
# Edit govern.json for your project, add project-specific sections to CLAUDE.md

Interactive Generator

Configure everything

Toggle options below. Only non-default values appear in your config.

Basics version, mode, description

Inherit from a base config file

Languages allowed, blocked, per-language

Require language to be in allowed list

Capabilities network, filesystem, shell, env, process

Network

Network enabled
HTTPS only
WebSockets
Raw sockets

Filesystem

Shell

Shell enabled

Environment Variables

Read
Write

Process

Spawn processes

Limits timeout, execution, data, code

Timeout (seconds)

Execution

Data

Code

Restrictions security checks, injection prevention

Code Quality 24 checks: secrets, PII, complexity floor, drift detection...

Contracts runtime assertions on function return values

Define return-value contracts per function. Checks: return_type, return_range, return_min/max, return_one_of, return_non_empty, return_keys, return_length_min/max, return_not_null.

Baselines record and compare outputs over time

Enable output baselines
Auto-record on first run
Hash-based keys

Custom Rules regex pattern matching

Output summary, errors, formatting, reports

Summary

Show passing

Errors

Verbose
Show help
Show examples

File Reports

Audit logging, tamper evidence, provenance

Tamper Evidence

Enable tamper evidence (hash chain)

Provenance

Record provenance
Sign records

Telemetry JSONL output for agent execution tracking

Enable telemetry

Agent Roles per-agent language & path restrictions

Define per-agent restrictions for multi-agent governance. Use --agent-id <name> CLI flag to identify the executing agent.

Polyglot variable binding, output, parallel, persistent runtime

Variable Binding

Require explicit variable binding

Output

Require JSON pipe
Require naab_return()

Parallel Execution

Persistent Runtime

Drift Tracking

Persist cross-language verification mismatches to JSONL for trend analysis.
Enable drift tracking
Include code hash

Project Context LLM files, linters, manifests

Enable project context awareness

Sources

LLM files (CLAUDE.md, etc.)
Linter configs
Package manifests

Extraction

Language preferences
Banned patterns
Style rules
Show extractions
Feed into optimization
Dry run

Meta schema validation, inheritance, feature flags

Schema Validation

Warn unknown keys
Suggest corrections

Inheritance

Environment

Allow env var substitution
Allow CLI override

Hooks on_violation, on_override, on_complete, pre/post_check

Taint Tracking sources, sinks, sanitizers, propagation

Scanner 139 checks across 6 categories + 6 language modules

Individual check overrides (empty_catch, god_functions, etc.) can be configured directly in the JSON output.

Scoring cumulative risk scoring with thresholds

Quality Gate pass/fail conditions for CI

Security sandbox level, network, strict types

Trust Ed25519 signature verification

Environments per-environment overrides (--env flag)

Agent Review dispatch mode, parallelism, fail strategy

Agent Dispatch thread pool for parallel agent calls

Requirements main block, error handling, naming

Integrity blocked flags, body hash

Runtime timeout, memory, GC

Governance Baseline regression tracking

Approval override approval workflow

Runtime Versions language version pinning

Contradiction Detection detect conflicting rules

Prerequisites pre-execution checks

govern.json
{
  "version": "5.0",
  "mode": "enforce"
}

3-Tier Enforcement

Three levels of control

Every check in govern.json can be set to one of three enforcement levels.

HARD

Blocks execution

Cannot be overridden. Use for security-critical rules: injection, secrets, privilege escalation.

SOFT

Blocks execution

Can bypass with --governance-override. Use for quality gates: placeholders, debug artifacts, incomplete logic.

ADVISORY

Warns only

Continues execution with a warning. Use for style guidance: naming conventions, complexity, documentation.


CLI Reference

Governance CLI flags

CommandDescription
naab file.naabRun with auto-discovered govern.json (walks up directories)
--governance-overrideBypass soft enforcement blocks (hard blocks still enforced)
--governance-dashboardPrint governance summary to stderr (checks passed/warned/blocked)
--governance-reportGenerate detailed execution report
--governance-sarifOutput SARIF format report (for CI integration)
--governance-junitOutput JUnit XML report
--env <name>Select governance environment (production, development, ci)
--agent-id <name>Enable per-agent governance role enforcement
--keygen <path>Generate Ed25519 signing keypair
--sign-governanceSign govern.json with Ed25519 key
--trust-key <path>Install a public key to the trust store
--list-keysList trusted key fingerprints
--scan <path>Run scanner standalone (139 checks, auto-detect language)
--timeout <N>Execution timeout in seconds
--tree-walkUse tree-walker interpreter instead of VM

Examples

Real-world configs

Personal Project

Just basic safety. Let everything run, block dangerous calls.
{
  "version": "5.0",
  "mode": "enforce",
  "languages": { "allowed": ["python", "javascript", "shell"] },
  "restrictions": {
    "dangerous_calls": { "level": "hard" }
  }
}

Open Source Library

Quality checks, no secrets, audit trail for contributors.
{
  "version": "5.0",
  "mode": "enforce",
  "languages": { "allowed": ["python", "javascript", "go"] },
  "code_quality": {
    "no_secrets": { "level": "hard" },
    "no_placeholders": { "level": "soft" },
    "no_debug_artifacts": { "level": "soft" }
  },
  "audit": { "level": "basic" }
}

Enterprise / Team

Full restrictions, custom rules, SARIF output for CI pipeline.
{
  "version": "5.0",
  "mode": "enforce",
  "languages": {
    "allowed": ["python", "javascript"],
    "per_language": {
      "python": {
        "banned_functions": ["eval(", "exec("],
        "imports": { "mode": "blocklist",
          "blocked": ["subprocess", "ctypes"] }
      }
    }
  },
  "restrictions": {
    "dangerous_calls": { "level": "hard" },
    "privilege_escalation": { "level": "hard" },
    "code_injection": { "level": "hard" }
  },
  "output": {
    "file_output": { "report_sarif": "governance.sarif" }
  }
}

AI Code Review Pipeline

Anti-hallucination. Catches stubs, fake APIs, simulation markers.
{
  "version": "5.0",
  "mode": "enforce",
  "code_quality": {
    "no_hallucinated_apis": { "level": "soft",
      "check_cross_language": true,
      "check_made_up_functions": true },
    "no_oversimplification": { "level": "hard",
      "check_empty_bodies": true,
      "check_fabricated_results": true },
    "no_incomplete_logic": { "level": "hard",
      "check_empty_catch": true },
    "no_simulation_markers": { "level": "hard" },
    "no_mock_data": { "level": "advisory" }
  }
}