The only language with built-in AI governance

Govern AI-generated code
at the language level

NAAb enforces code quality, security, and correctness as runtime constraints — not suggestions. A single govern.json controls what executes across 12 languages in one file.

Get Started Read the Docs
$ git clone https://github.com/b-macker/NAAb.git && cd NAAb && cmake -B build && make -C build naab-lang
50+
Governance Checks
3-tier
Enforcement
12
Languages Governed
13
Stdlib Modules
325
Tests Passing
LLM Governance Engine

Ship AI-generated code with confidence

Drop a govern.json in your project. NAAb checks every polyglot block against your policies before execution.

govern.json
{
  "version": "3.0",
  "mode": "enforce",

  "languages": {
    "allowed": ["python", "javascript"]
  },

  "code_quality": {
    "no_secrets": { "level": "hard" },
    "no_sql_injection": { "level": "hard" },
    "no_oversimplification": { "level": "hard" },
    "no_incomplete_logic": { "level": "soft" },
    "no_hallucinated_apis": { "level": "soft" }
  }
}
Terminal
$ naab-lang app.naab

Error: Hallucinated API in python block:
  ".push()" SOFT

  Rule: code_quality.no_hallucinated_apis

  Help:
  .push() is JavaScript
  In Python, use .append()

  To override: --governance-override

Hard Hallucinated API Detection

Catches .push() in Python, print() in JS, json.stringify() instead of json.dumps() — with "did you mean?" corrections for 86+ patterns across Python and JavaScript.

Hard Oversimplification Detection

Detects stub functions, pass-only bodies, validate() that always returns True, identity functions, NotImplementedError, and fabricated status responses. 35+ patterns.

Soft Incomplete Logic Detection

Catches except:pass, bare raises, vague error messages like "something went wrong", degenerate loops, and always-true/false conditions. 40+ patterns.

Hard Security Analysis

SQL injection, path traversal, shell injection, privilege escalation, unsafe deserialization, data exfiltration, and entropy-based secret detection.

Advisory Code Quality

Placeholders (TODO/FIXME), dead code, debug artifacts, simulation markers, mock data, apologetic language, hardcoded URLs/IPs, and PII detection.

Info CI/CD Integration

Export governance results as SARIF for GitHub Code Scanning, JUnit XML for Jenkins/GitLab CI, or JSON for custom tooling. Three enforcement levels: HARD, SOFT, ADVISORY.

Advisory Project Context Awareness

Opt-in: governance reads your CLAUDE.md, .editorconfig, .eslintrc, package.json and more. Extracts rules, bans, and style preferences — then supplements govern.json without overriding it. Three layers, each toggleable.

Soft Cross-Language Verification

Automatically re-runs polyglot blocks through additional language runtimes and compares results. Catches silent computation errors, floating-point drift, and off-by-one bugs that a single runtime would miss.

Why this matters for AI-generated code

Prompts are suggestions. Governance is enforcement. NAAb controls AI output at the runtime level — where it can't be bypassed.

The problem: AI Drift

Every AI session starts fresh. No memory of your standards, security rules, or architecture. The result:

  • Hallucinated APIs that don't exist
  • Language choices that ignore project constraints
  • Stubs and TODO placeholders shipped as "complete"
  • Security patterns bypassed for simplicity
  • Each generation drifts further from your standards

The fix: Runtime governance

AI generates whatever it wants. govern.json decides what actually executes:

  • 50+ checks validate every block before execution
  • Language whitelists enforced as hard blocks, not hints
  • Banned functions caught before they run
  • Same rules govern every session, every developer
  • Audit trail: what passed, what was blocked, and why
50+
checks per execution
3-tier
hard / soft / advisory
0
hallucinations reach prod

Trust, but verify

Enable cross-language verification in govern.json. NAAb re-runs each polyglot block through independent runtimes and reports consensus — or flags drift.

govern.json
{
  "verification": {
    "enabled": true,
    "enforcement_level": "soft",
    "consensus_languages": ["python", "javascript", "go"],
    "tolerance": 1e-10
  }
}
Terminal
$ naab-lang app.naab

[VERIFY] Line 12: python block
  Consensus: 3/3 agree (python, javascript, go)
  Result: 4950

[VERIFY] Line 28: javascript block
  DRIFT DETECTED: 2/3 agree
  javascript → "0.30000000000000004"
  python     → "0.3"
  go         → "0.3"

Measure, don't guess

Governance suggestions are backed by real benchmarks on your machine. Calibrate once, get measured recommendations with confidence labels.

Calibrate
$ naab-lang calibrate

Languages: python, go, rust, nim, shell
Iterations: 3

numerical:
  #1        go       879 us  ####################  100
  #2      rust     8,963 us  ##                      9
  #3    python    51,800 us                          1

string:
  #1  javascript  63,000 us  ####################  100
  #2      rust    80,270 us  ################     78
  #3    python   105,816 us  ############         59

Calibration saved to ~/.naab/calibration.json
Race
$ naab-lang race app.naab --block 2

Racing block [2]: <<python>> at line 38
Code: sum(range(100))

Detected task: numerical

  RACE RESULTS (calibrated)
  #1        go       879 us  ####################  100
  #2      rust     8,963 us  ##                      9
  #7    python    51,800 us                          1  <-- YOU

  Your block: python (score: 1/100)
  Fastest:    go (58.9x faster)

Confidence: CALIBRATED
Polyglot Execution

Twelve languages. One file. Zero boilerplate.

Use each language where it shines. Variables flow between languages automatically — no FFI, no serialization, no microservices.

Python
JavaScript
Rust
C++
Go
C#
Ruby
PHP
Shell
Nim
Zig
Julia
app.naab
main {
    let numbers = [10, 20, 30, 40, 50]

    // Python: statistical analysis
    let stats = <<python[numbers]
import statistics
mean = statistics.mean(numbers)
stdev = statistics.stdev(numbers)
f"mean={mean}, stdev={stdev:.1f}"
>>

    // Rust: high-performance hashing
    let hash = <<rust
fn main() {
    let input = std::env::args().last()
        .unwrap();
    println!("{:x}", md5::compute(
        input.as_bytes()
    ));
}
>>

    print(stats)
    print(hash)
}
Output
$ naab-lang app.naab

mean=30, stdev=15.8

a7b9f3e2d1c4...

───────────────────────
2 polyglot blocks executed
  python  ............  42ms
  rust    ............  18ms
Platform

Everything you need to build polyglot applications

Modern language features, a rich standard library, and developer tools that make polyglot programming productive.

Pattern Matching

Expressive match expressions with exhaustive checking, wildcard patterns, and value binding.

Async / Await

Non-blocking concurrent execution with async functions and await for I/O-bound operations.

λ

Lambdas & Closures

First-class functions with closure capture. Pass functions as values, return them, store them in data structures.

Pipeline Operator

Chain operations with |> for readable data transformation pipelines. Left-to-right composition.

📁

Module System

Import/export with named imports, wildcard imports, and aliasing. Organize code across multiple files.

Error Handling

try/catch/throw with polyglot error propagation. Errors from Python or JavaScript blocks flow into NAAb's catch.

Variable Binding

Pass variables into polyglot blocks with <<python[x, y]. Automatic serialization across language boundaries.

Parallel Execution

Independent polyglot blocks run in parallel automatically. Dependency analysis ensures correct ordering.

💬

Smart Errors

"Did you mean?" suggestions for typos, detailed error messages with examples, and common mistake detection.

Standard Library

13 modules. Batteries included.

A comprehensive standard library with 204 error messages, "Did you mean?" suggestions, and detailed documentation.

array
Push, pop, map, filter, reduce, sort, slice
string
Split, join, upper, lower, trim, replace, reverse
math
Sqrt, pow, abs, floor, ceil, round, trig, random
json
Parse, stringify, query, validate
http
GET, POST, PUT, DELETE with headers
file
Read, write, append, exists, delete, list
time
Now, sleep, format, parse, duration
debug
Inspect, trace, watch, snapshot, diff, assert
env
Get, set, list environment variables
csv
Read, write, parse CSV data
regex
Match, search, replace, split, groups
crypto
Hash, HMAC, random bytes, UUID
bolo
Governance scanning, hallucination detection, reports
Architecture

Built on solid foundations

73,000+ lines of modern C++17. Recursive descent parser, AST visitor pattern interpreter, and isolated polyglot executors.

Source (.naab)
Lexer
Parser
Governance
Interpreter
Executors

Python

Embedded via C API. In-process execution with variable injection.

JavaScript

Embedded QuickJS engine. Isolated runtime with fast startup.

Compiled

Rust, C++, Go, C#, Nim, Zig compile to native binaries. Julia JIT-compiled. Thread-safe temp files.

Built with NAAb

NAAb BOLO

Enterprise LLM & AI Governance Platform — 100% NAAb, best language for every task

Rust
Parallel file walking — 10x faster than Python os.walk, respects .gitignore
C++
Pattern matching — 50+ regex checks at native speed, compile-once patterns
Python
Tool orchestration — flake8, bandit, pytest, HTML reports, AI governance
NAAb
Orchestration — CLI, profiles, output formatting, polyglot dispatch
5 scripts
4 languages
50+ checks
64 regression tests
Learn More
Built with NAAb

NAAb Pivot

Polyglot Code Evolution & Optimization Platform — 3-60x speedups with proven correctness

Analyze
AST-based code analysis — detect hotspots automatically across 8 source languages
Synthesize
Code generation — Go, Rust, C++, Zig, Julia with template-based optimization
Validate
Parity proof — 99.99% confidence with 100+ statistical test cases
Benchmark
Performance tracking — regression detection with multi-format reports
8 target languages
10 proven examples
3-60x speedups
99.99% confidence
Learn More
Built with NAAb

NAAb Passage

Sovereign Data Gateway & PII Protection — Zero leakage with mathematical certainty

Sovereign
NAAb brain owns all decisions — polyglot workers are "dumb muscle"
Self-Synthesizing
Compiles workers at boot with SHA-256 verification & forensic shredding
Hardware Isolation
CPU pinning, network namespaces — hostile cloud ready
PII Detection
SSN, credit cards, secrets — HIPAA, GDPR, SOC2 compliant
Input: API request with potential PII
Output: Validated, redacted, or blocked
Result: Zero PII leakage
Architecture
Sovereign
Detection Rate
100%
False Positives
< 0.01%
Learn More

Ready to go polyglot?

NAAb is open source, MIT licensed, and ready for your next project.

View on GitHub Quick Start Guide Governance Reference