AI proposes.
The engine decides.
Nesbot turns AI-assisted development into a governed engineering workflow โ repo-specific lawpacks enforce your standards, authenticated approval gates protect every phase, and baseline-aware review gives your team the signal to trust what ships.
| File ยท Line | Rule | Lawpack | Outcome |
|---|---|---|---|
| src/payments/refund.ts:142 | require-idempotency-key | ts-payments | BLOCK |
| src/payments/webhook.ts:88 | forbids-bare-catch | ts-core | BLOCK |
| src/lib/log.ts:31 | logger-redacts-pii | ts-core | REQUIRES_APPROVAL |
| src/payments/types.ts:9 | requires-zod-schema | ts-payments | COMMENT_ONLY |
The problem isn't that AI can't write code.
The problem is that teams can't trust or govern what it writes.
AI assistants are excellent at generating code. They are not designed to enforce your team's standards, gate approvals, or give you a traceable record of what shipped.
Standards drift
AI writes code that compiles but doesn't match your conventions. Rules live in reviewers' heads, not in the system. Review burden grows as the codebase drifts.
Inconsistent review
Reviews depend on who's available and what they remember to check. No baseline, no classification of new versus already-known, no way to tell if things are getting better or worse.
No audit trail
When something breaks, you can't trace which AI run produced it, who approved the plan, or whether violations were overridden. No record means no accountability.
The governance layer your team is missing.
Conversational and agentic tools help individuals think and generate. Nesbot helps teams govern, approve, review, and operationalize that work.
Make engineers faster at generating and refactoring code. Strong on individual productivity. Not designed for team governance โ no repo-specific standards, no approval gates, no audit trail.
Individual productivityAdd structure and planning context to AI interaction. Improve how individuals prompt and organize tasks. Standards still live in your head โ there's no team execution or enforcement layer underneath.
Structured generationAutomate more of the delivery loop. Closer to the problem, but still weak on approval gates, repo-specific standards, baseline-aware review, and traceable execution.
Delegated automation- โ Repo-specific lawpacks enforce your team's standards at every phase โ not just at review
- โ Authenticated approval gates at plan, apply, and review-accept โ no silent execution
- โ Baseline-aware review: every finding classified baseline new worsened โ reviewers focus on what actually changed
- โ Deterministic: identical inputs, identical outputs โ reproducibility is the point
- โ Append-only audit log in every PR โ who approved, when, under which standards, any overrides with reasons
Governance starts on day one.
Starter lawpack families ship with Nesbot โ assign one to a repo and enforcement begins immediately. No weeks of standards setup before you get value. This is where most teams see results first.
Starter families per stack
TypeScript, Java, Python, React, Spring, Django, and universal quality standards. Real rules, not generic best-practice fluff. Assign a family and enforcement starts on the next PR.
Three enforcement levels
Rules classify as BLOCK (PR blocked), REQUIRES_APPROVAL (named override needed), or COMMENT_ONLY (advisory signal). Start advisory, escalate enforcement as your team aligns on what actually matters.
Evolves with your team
Starter families are a default, not a ceiling. Tighten or relax individual rules per repo as your team's conventions evolve.
โ๏ธ Lawpack assignment ยท payments-api
๐ฆ TypeScript Core Active
ts-core ยท 12 rules- no-any-without-justification BLOCK
- forbids-bare-catch BLOCK
- logger-redacts-pii REQUIRES_APPROVAL
- test-files-mirror-src COMMENT_ONLY
๐งช Test Discipline Recommended
test-discipline ยท 6 rules- require-unit-tests-per-module BLOCK
- no-skipped-tests-in-main REQUIRES_APPROVAL
๐ TS Payments
ts-payments ยท 4 rules- require-idempotency-key BLOCK
- stripe-error-handling REQUIRES_APPROVAL
Start where the pain is highest.
Start with one change. Each stage builds confidence before you expand.
๐ Review-first
Install the GitHub App. Nesbot reviews every PR against your lawpacks and baseline โ nothing else changes. Value on the first PR: findings classified, baseline established, worsened violations surfaced before anything ships.
Start with review-first โThen expand when it proves itself
๐ Governed planning
Produce plans constrained by your lawpacks before implementation begins. The value isn't that AI can plan โ it's that the plan is governed by your actual standards.
๐จ Small, scoped tasks
Run the full plan โ approve โ apply โ review cycle on low-blast-radius tasks. Build confidence before expanding to complex or critical-path work.
๐ Broader integration
Expand to more repos, more task types, and broader team participation. Lawpacks evolve with the codebase. Approval authority distributes as confidence grows.
Six structured stages. Humans at every gate.
AI proposes. The engine enforces. Humans approve at the gates that matter. Every phase produces a validated artifact โ nothing lands without a signature.
๐Plan
AI produces a structured plan โ file operations, rationale, and blockers โ validated against your lawpacks before any code is touched.
โ Approve plan
A named operator reviews and approves the plan. Authenticated, logged, append-only. No implementation begins without explicit human sign-off.
๐จApply
Implementation runs on an isolated branch. Every operation is committed with full provenance โ operator as author, engine as committer. Resumable if interrupted.
โ๏ธReview
Lawpacks evaluate the diff. Every finding classified BASELINE / NEW / WORSENED. AI can't quietly degrade the codebase.
๐Accept
Operator accepts or overrides. Overrides require a reason โ tracked, attributed, embedded in the PR body alongside the full approval trail.
๐Publish
PR opens with a signed provenance footer โ plan hash, approval log, review result, any overrides with reasons. Full traceability above the fold.
Every decision is logged. Every override is attributed.
Sample approval trail from a Nesbot-published PR โ embedded in every PR body:
Hard-gated or advisory. Your choice.
Different teams have different risk tolerances and trust levels. Start where you are โ operating mode can change as confidence grows.
Hard-gated
PRs blocked on BLOCK violations. Right for teams that want a hard enforcement layer once they have confidence in their lawpack configuration. Every override is attributed and logged.
Advisory
Review runs silently alongside your existing pipeline โ no blocking, no disruption. Understand where your codebase stands before committing to hard gates. Good for fast-moving teams.
Progressive rollout
Start advisory. Promote individual rules to BLOCK as your team aligns on what actually matters. Most teams follow this path โ confidence in governance builds before enforcement tightens.
Start with one repo. One workflow. One month of signal.
Review-first means zero disruption. Nesbot reviews your next PR, classifies findings against your baseline, and shows you where your standards actually stand. Expand when it proves itself.
No workflow changes required for review-first adoption.