Nesbot
Governed AI engineering workflow

AI proposes.
The engine decides.

Nesbot turns AI-assisted development into a governed engineering workflow โ€” repo-specific lawpacks enforce your standards, authenticated approval gates protect every phase, and baseline-aware review gives your team the signal to trust what ships.

โœ“ Repo-specific lawpacks โœ“ Approval-gated โœ“ Baseline-aware review โœ“ Full audit trail
The problem

The problem isn't that AI can't write code.
The problem is that teams can't trust or govern what it writes.

AI assistants are excellent at generating code. They are not designed to enforce your team's standards, gate approvals, or give you a traceable record of what shipped.

๐Ÿ“‰

Standards drift

AI writes code that compiles but doesn't match your conventions. Rules live in reviewers' heads, not in the system. Review burden grows as the codebase drifts.

๐Ÿ”

Inconsistent review

Reviews depend on who's available and what they remember to check. No baseline, no classification of new versus already-known, no way to tell if things are getting better or worse.

๐Ÿ“‹

No audit trail

When something breaks, you can't trace which AI run produced it, who approved the plan, or whether violations were overridden. No record means no accountability.

Why Nesbot

The governance layer your team is missing.

Conversational and agentic tools help individuals think and generate. Nesbot helps teams govern, approve, review, and operationalize that work.

Coding assistants
Claude Code ยท Cursor ยท Copilot Chat

Make engineers faster at generating and refactoring code. Strong on individual productivity. Not designed for team governance โ€” no repo-specific standards, no approval gates, no audit trail.

Individual productivity
Agent frameworks
BMad ยท CrewAI ยท structured prompting

Add structure and planning context to AI interaction. Improve how individuals prompt and organize tasks. Standards still live in your head โ€” there's no team execution or enforcement layer underneath.

Structured generation
Platform agents
Copilot Workspace ยท Devin ยท Codex

Automate more of the delivery loop. Closer to the problem, but still weak on approval gates, repo-specific standards, baseline-aware review, and traceable execution.

Delegated automation
Nesbot
Governed team execution โ€” not just generation
  • โœ“ Repo-specific lawpacks enforce your team's standards at every phase โ€” not just at review
  • โœ“ Authenticated approval gates at plan, apply, and review-accept โ€” no silent execution
  • โœ“ Baseline-aware review: every finding classified baseline new worsened โ€” reviewers focus on what actually changed
  • โœ“ Deterministic: identical inputs, identical outputs โ€” reproducibility is the point
  • โœ“ Append-only audit log in every PR โ€” who approved, when, under which standards, any overrides with reasons
Lawpacks

Governance starts on day one.

Starter lawpack families ship with Nesbot โ€” assign one to a repo and enforcement begins immediately. No weeks of standards setup before you get value. This is where most teams see results first.

Starter families per stack

TypeScript, Java, Python, React, Spring, Django, and universal quality standards. Real rules, not generic best-practice fluff. Assign a family and enforcement starts on the next PR.

Three enforcement levels

Rules classify as BLOCK (PR blocked), REQUIRES_APPROVAL (named override needed), or COMMENT_ONLY (advisory signal). Start advisory, escalate enforcement as your team aligns on what actually matters.

Evolves with your team

Starter families are a default, not a ceiling. Tighten or relax individual rules per repo as your team's conventions evolve.

โš–๏ธ Lawpack assignment ยท payments-api

assigned by OWNER

๐ŸŸฆ TypeScript Core Active

ts-core ยท 12 rules
  • no-any-without-justification BLOCK
  • forbids-bare-catch BLOCK
  • logger-redacts-pii REQUIRES_APPROVAL
  • test-files-mirror-src COMMENT_ONLY

๐Ÿ”’ TS Payments

ts-payments ยท 4 rules
  • require-idempotency-key BLOCK
  • stripe-error-handling REQUIRES_APPROVAL
Where teams start

Start where the pain is highest.

Start with one change. Each stage builds confidence before you expand.

Recommended starting point

๐Ÿ‘€ Review-first

Install the GitHub App. Nesbot reviews every PR against your lawpacks and baseline โ€” nothing else changes. Value on the first PR: findings classified, baseline established, worsened violations surfaced before anything ships.

Start with review-first โ†’
Zero workflow disruption No changes to how engineers create or merge PRs
Value on day one First PR surfaces your real baseline against your lawpacks
Works across team styles Fast trunk-based or async โ€” advisory or enforced, your choice

Then expand when it proves itself

02

๐Ÿ“‹ Governed planning

Produce plans constrained by your lawpacks before implementation begins. The value isn't that AI can plan โ€” it's that the plan is governed by your actual standards.

Good for: teams wanting AI planning with standards enforcement
03

๐Ÿ”จ Small, scoped tasks

Run the full plan โ†’ approve โ†’ apply โ†’ review cycle on low-blast-radius tasks. Build confidence before expanding to complex or critical-path work.

Good for: teams building confidence in the full workflow
04

๐Ÿš€ Broader integration

Expand to more repos, more task types, and broader team participation. Lawpacks evolve with the codebase. Approval authority distributes as confidence grows.

Good for: teams ready to operationalize AI-assisted delivery
How it works

Six structured stages. Humans at every gate.

AI proposes. The engine enforces. Humans approve at the gates that matter. Every phase produces a validated artifact โ€” nothing lands without a signature.

01

๐Ÿ“‹Plan

AI produces a structured plan โ€” file operations, rationale, and blockers โ€” validated against your lawpacks before any code is touched.

Proposes: AI
๐Ÿ” Human gate
02

โœ…Approve plan

A named operator reviews and approves the plan. Authenticated, logged, append-only. No implementation begins without explicit human sign-off.

Authority: Human
03

๐Ÿ”จApply

Implementation runs on an isolated branch. Every operation is committed with full provenance โ€” operator as author, engine as committer. Resumable if interrupted.

Authority: Engine
๐Ÿ” Lawpack gate
04

โš–๏ธReview

Lawpacks evaluate the diff. Every finding classified BASELINE / NEW / WORSENED. AI can't quietly degrade the codebase.

Judge: Lawpacks
๐Ÿ” Human gate
05

๐Ÿ”Accept

Operator accepts or overrides. Overrides require a reason โ€” tracked, attributed, embedded in the PR body alongside the full approval trail.

Authority: Human
06

๐Ÿš€Publish

PR opens with a signed provenance footer โ€” plan hash, approval log, review result, any overrides with reasons. Full traceability above the fold.

Authority: Human

Every decision is logged. Every override is attributed.

Sample approval trail from a Nesbot-published PR โ€” embedded in every PR body:

PLAN_APPROVED jess@acme.dev approved plan for PAY-482 2026-05-06 09:14 password
APPLY_CONFIRMED jess@acme.dev confirmed apply on nesbot/PAY-482 2026-05-06 09:21 password
REVIEW_OVERRIDDEN tom@acme.dev overrode logger-redacts-pii โ€” "audited separately via compliance process" 2026-05-06 09:38 browser-loopback
REVIEW_ACCEPTED jess@acme.dev accepted review for PAY-482 2026-05-06 09:42 password
Workflow fit

Hard-gated or advisory. Your choice.

Different teams have different risk tolerances and trust levels. Start where you are โ€” operating mode can change as confidence grows.

Hard-gated

ENFORCE_ALL

PRs blocked on BLOCK violations. Right for teams that want a hard enforcement layer once they have confidence in their lawpack configuration. Every override is attributed and logged.

Advisory

SHADOW

Review runs silently alongside your existing pipeline โ€” no blocking, no disruption. Understand where your codebase stands before committing to hard gates. Good for fast-moving teams.

Progressive rollout

Advisory โ†’ Enforced

Start advisory. Promote individual rules to BLOCK as your team aligns on what actually matters. Most teams follow this path โ€” confidence in governance builds before enforcement tightens.

Start with one repo. One workflow. One month of signal.

Review-first means zero disruption. Nesbot reviews your next PR, classifies findings against your baseline, and shows you where your standards actually stand. Expand when it proves itself.

1 Connect GitHub โ†’ 2 Assign lawpacks โ†’ 3 Review first PR โ†’ 4 See your baseline โ†’ 5 Expand from there

No workflow changes required for review-first adoption.