NAAb Governance Builder — Configure govern.json

Project Starter Kit

Start a new NAAb project

Every NAAb project needs two files: govern.json for runtime enforcement and CLAUDE.md for LLM code generation. Download both to your project root.

govern.json

Complete governance template with all 50+ checks, per-language rules, and 3-tier enforcement. Customize to your project needs.

Download Template Use Builder

CLAUDE.md Template

Universal NAAb language reference for LLMs. Syntax rules, stdlib API, polyglot patterns, and 27 known gotchas. Download and rename to CLAUDE.md in your project.

Download CLAUDE.md View on GitHub

Quick Setup

mkdir my-project && cd my-project
curl -o CLAUDE.md https://raw.githubusercontent.com/b-macker/NAAb/master/CLAUDE-TEMPLATE.md
curl -O https://raw.githubusercontent.com/b-macker/NAAb/master/govern-template.json
mv govern-template.json govern.json
# Edit govern.json for your project, add project-specific sections to CLAUDE.md

Interactive Generator

Configure everything

Toggle options below. Only non-default values appear in your config.

Basics version, mode, description

▶

Version

Mode

Description

Extends

Inherit from a base config file

Languages allowed, blocked, per-language

▶

Allowed Languages

Blocked Languages

Require language to be in allowed list

Capabilities network, filesystem, shell, env, process

▶

Network

Network enabled

HTTPS only

WebSockets

Raw sockets

Blocked Hosts

Filesystem

Mode

Blocked Paths

Blocked Extensions

Shell

Shell enabled

Blocked Commands

Environment Variables

Read

Write

Blocked Read

Process

Spawn processes

Max processes

Limits timeout, execution, data, code

▶

Timeout (seconds)

Global

Per block

Total polyglot

Execution

Call depth

Polyglot blocks

Parallel blocks

Data

Array size

String length

Nesting depth

Code

Max lines/block

Max functions

Max nesting

Restrictions security checks, injection prevention

▶

Code Quality 21 checks: secrets, PII, complexity floor...

▶

Contracts runtime assertions on function return values

▶

Enforcement Level

Define return-value contracts per function. Checks: return_type, return_range, return_min/max, return_one_of, return_non_empty, return_keys, return_length_min/max, return_not_null.

Baselines record and compare outputs over time

▶

Enable output baselines

Level

Path

Tolerance

Auto-record on first run

Hash-based keys

Custom Rules regex pattern matching

▶

Output summary, errors, formatting, reports

▶

Summary

Format

Show passing

Errors

Verbose

Show help

Show examples

Max errors/rule

Max total errors

File Reports

SARIF

JUnit

JSON

Audit logging, tamper evidence, provenance

▶

Level

Output file

Tamper Evidence

Enable tamper evidence (hash chain)

Provenance

Record provenance

Sign records

Polyglot variable binding, output, parallel, persistent runtime

▶

Variable Binding

Require explicit variable binding

Output

Require JSON pipe

Require naab_return()

Parallel Execution

Max parallel blocks

Timeout/block (sec)

Fail strategy

Persistent Runtime

Max sessions

Session timeout (sec)

Drift Tracking

Persist cross-language verification mismatches to JSONL for trend analysis.

Enable drift tracking

Path

Max entries

Trend window

Escalation threshold

Include code hash

Meta schema validation, inheritance, feature flags

▶

Schema Validation

Warn unknown keys

Suggest corrections

Inheritance

Max depth

Merge strategy

Environment

Allow env var substitution

Allow CLI override

Hooks on_violation, on_override, on_complete, pre/post_check

▶

on_violation command

on_override command

on_complete command

pre_check command

post_check command

govern.json

{
  "version": "3.0",
  "mode": "enforce"
}

3-Tier Enforcement

Three levels of control

Every check in govern.json can be set to one of three enforcement levels.

HARD

Blocks execution

Cannot be overridden. Use for security-critical rules: injection, secrets, privilege escalation.

SOFT

Blocks execution

Can bypass with --governance-override. Use for quality gates: placeholders, debug artifacts, incomplete logic.

ADVISORY

Warns only

Continues execution with a warning. Use for style guidance: naming conventions, complexity, documentation.

CLI Reference

Governance CLI flags

Command	Description
`naab file.naab`	Run with auto-discovered govern.json (walks up directories)
`--governance-override`	Bypass `soft` enforcement blocks (hard blocks still enforced)
`--governance-report`	Generate execution report
`--governance-sarif`	Output SARIF format report (for CI integration)
`--governance-junit`	Output JUnit XML report

Examples

Real-world configs

Personal Project

Just basic safety. Let everything run, block dangerous calls.

{
  "version": "3.0",
  "mode": "enforce",
  "languages": { "allowed": ["python", "javascript", "shell"] },
  "restrictions": {
    "dangerous_calls": { "level": "hard" }
  }
}

Open Source Library

Quality checks, no secrets, audit trail for contributors.

{
  "version": "3.0",
  "mode": "enforce",
  "languages": { "allowed": ["python", "javascript", "go"] },
  "code_quality": {
    "no_secrets": { "level": "hard" },
    "no_placeholders": { "level": "soft" },
    "no_debug_artifacts": { "level": "soft" }
  },
  "audit": { "level": "basic" }
}

Enterprise / Team

Full restrictions, custom rules, SARIF output for CI pipeline.

{
  "version": "3.0",
  "mode": "enforce",
  "languages": {
    "allowed": ["python", "javascript"],
    "per_language": {
      "python": {
        "banned_functions": ["eval(", "exec("],
        "imports": { "mode": "blocklist",
          "blocked": ["subprocess", "ctypes"] }
      }
    }
  },
  "restrictions": {
    "dangerous_calls": { "level": "hard" },
    "privilege_escalation": { "level": "hard" },
    "code_injection": { "level": "hard" }
  },
  "output": {
    "file_output": { "report_sarif": "governance.sarif" }
  }
}

AI Code Review Pipeline

Anti-hallucination. Catches stubs, fake APIs, simulation markers.

{
  "version": "3.0",
  "mode": "enforce",
  "code_quality": {
    "no_hallucinated_apis": { "level": "soft",
      "check_cross_language": true,
      "check_made_up_functions": true },
    "no_oversimplification": { "level": "hard",
      "check_empty_bodies": true,
      "check_fabricated_results": true },
    "no_incomplete_logic": { "level": "hard",
      "check_empty_catch": true },
    "no_simulation_markers": { "level": "hard" },
    "no_mock_data": { "level": "advisory" }
  }
}

Build your govern.json

Start a new NAAb project

govern.json

CLAUDE.md Template

Configure everything

Basics version, mode, description

Languages allowed, blocked, per-language

Capabilities network, filesystem, shell, env, process

Network

Filesystem

Shell

Environment Variables

Process

Limits timeout, execution, data, code

Timeout (seconds)

Execution

Data

Code

Restrictions security checks, injection prevention

Code Quality 21 checks: secrets, PII, complexity floor...

Contracts runtime assertions on function return values

Baselines record and compare outputs over time

Custom Rules regex pattern matching

Output summary, errors, formatting, reports

Summary

Errors

File Reports

Audit logging, tamper evidence, provenance

Tamper Evidence

Provenance

Polyglot variable binding, output, parallel, persistent runtime

Variable Binding

Output

Parallel Execution

Persistent Runtime

Drift Tracking

Project Context LLM files, linters, manifests

Sources

Extraction

Meta schema validation, inheritance, feature flags

Schema Validation

Inheritance

Environment

Hooks on_violation, on_override, on_complete, pre/post_check

Three levels of control

Blocks execution

Blocks execution

Warns only

Governance CLI flags

Real-world configs

Personal Project

Open Source Library

Enterprise / Team

AI Code Review Pipeline