v1.8.0 — Agent Orchestration, Enterprise Governance, Runtime Hardening

Major feature release — 119 commits since v1.7.0.

Agent Orchestration

NAAb is now a practical agent orchestration language with built-in governance, tamper-evident audit trails, and adaptive safety controls.

• Tool execution loop — agent.register_tool() with 7-layer governed defense (declaration, admission, argument scan, scoped sandbox, result scan, budget check, behavioral)
• Pipeline with provenance — agent.pipeline() carries upstream trust signals (model, retries, coherence, fallback status) to downstream stages
• Parallel primitives — agent.fan_out() and agent.batch() for multi-agent parallel workflows
• Code extraction — agent.extract_code() extracts code from LLM markdown fences
• Orchestra module — orchestra.consensus_vote(), orchestra.enforce_convergence(), orchestra.sequential_refinement()
• Codegen module — codegen.run_strict() routes runtime-generated code through 39+ governance checks
• Agent resilience — key rotation, retry with exponential backoff + jitter, model fallback chains, run-level hard stop budgets
• Self-awareness — agent.environment() exposes birth snapshot, live state, and config change notices

8-Demo Suite (demos/agent-orchestration/)

#	Demo	Pattern
01	Single agent	Pre-flight check, one-shot, accounting
02	Multi-turn tools	Tool governance (dual-gate), conversation state
03	Parallel review	Fan-out, independent governance per agent
04	Pipeline refine	Sequential chain, upstream provenance
05	Consensus gate	Multi-agent voting, convergence validation
06	Self-correcting codegen	Governance blocks bad code, agent fixes it
07	Adaptive orchestration	governance.health() drives decisions
08	Traceability proof	Full decision chain + hash chain verification

All demos tested end-to-end with live Gemini API (gemma-4-31b-it).

Governance Hardening

• GovernanceHardError — uncatchable HARD exceptions (_exit(3)), NAAb try/catch cannot intercept
• EnforcementLevel::DETECT — catchable variant for test configs
• Governance Pulse — HEALTHY/DEGRADED/IMPAIRED real-time self-assessment with hysteresis and stepped recovery
• Standing Lease — TTL on agent authorization (Kerberos TGT analog) with step-up challenges
• Advisory Escalation — repeated advisories harden (OSHA violation analog)
• Evidence Epoch — monotonic counter for evidence freshness, prior-epoch evidence discounted
• Subprocess containment — OS-level restrictions on polyglot child processes (RLIMIT_NPROC, PATH restriction, env scrubbing, timeout+SIGKILL)
• env_vars enforcement — blocked_read/allowed_read/blocked_write/allowed_write enforced at all 9 env access points
• Error message hardening — 34 information leaks fixed, 738 security checks
• VM taint clearing — OP_GOV_TAINT_CLEAR implemented (was stub NOP); compiler emits on sanitizer calls
• Authority decay fix — Ed25519 timestamp now included in signed payload (was appended after signing, allowing forgery)
• Governance entropy fix — uses windowed check results instead of cumulative counter that decayed to zero
• Bessel's correction — CDD baseline variance uses n/(n-1) sample variance for small samples
• consensus_vote() fix — exact string match prevents "NOT_APPROVED_YET" matching as APPROVED

Enterprise Readiness

• Policy distribution — govern.json extends/inheritance with signature verification
• Telemetry forwarding — webhook and SIEM push of JSONL events
• Multi-key auth — REST API with scoped permissions (read/write/admin)
• Hot-reload — polyglot executor configs reload on govern.json changes mid-run
• Tamper-evident audit trails — hash-chained telemetry proves no events deleted or modified
• Signed attestations — Ed25519 execution attestations + approval CLI
• Configurable governance coefficients — 14 hardcoded CDD/pressure/pulse thresholds extracted to govern.json (context_drift.thresholds, reality_checkpoint scaling, governance_health pulse params)
• Complexity scoring weights — complexity_floor.weights in govern.json overrides syntactic scoring formula (17 tunable weights)
• Default rationale documentation — all governance defaults annotated with reasoning

Platform

• Windows/MinGW64: JavaScript and Python polyglot executors enabled
• macOS: environ declaration fix for persistent process executor
• MSVC compatibility improvements
• Cross-platform test hardening

Testing

• 396 tests (334 pass, 51 error-behavior, 11 needs-tree-walk)
• 738 security leak checks, 0 failures
• 90 config fuzz cases, 0 crashes
• Gorilla tests: naab-28 (77), naab-29 (102), naab-31 (120), naab-35 (40) assertions
• 145 governance depth verification tests

Full Changelog: v1.7.0...v1.8.0

What's Changed

• feat: execution-based governance contracts (6 contract types + VM support) by @b-macker in #17
• fix: gorilla-27 infrastructure fixes (contracts, template, tests) by @b-macker in #18
• fix: 10 governance infrastructure bugs from naab-29 adversarial testing by @b-macker in #19
• Governance hardening + CDD reality checkpoint by @b-macker in #20
• Governance hardening + naab-x1 infrastructure fixes by @b-macker in #21
• Fix Python subprocess signing bug + add binding CI by @b-macker in #22
• feat: 8-phase governance observability + orchestration (34 commits) by @b-macker in #23
• Codebase quality audit: governance fixes + config extraction by @b-macker in #24

Full Changelog: v1.7.0...v1.8.0

v1.7.0 — Governance Hardening, libnaab C API, VM Fixes

Highlights

libnaab-governance C API (PR #12, #13)

• C API, CLI pipe mode, REST endpoint for external agent framework integration
• Go, Rust, Java, C# FFI bindings + Python pip-installable package
• LangChain, CrewAI, AutoGen integration examples

Security Hardening (PR #14)

• 68+ security fixes across VM, sandbox, crypto, REST API, bindings, governance scanner
• TAG_ENUM NaN-boxing — string(enum) returns variant name instead of integer
• Unicode homoglyph and whitespace normalization for block evasion
• Module aliasing, star import, reflection/indirection bypass detection
• 86 adversarial scanner test vectors

Governance Contracts & Scanner (PR #15)

• must_call behavioral contracts — enforce function call requirements
• must_contain syntax pattern enforcement
• Governance validity layer — authority decay, environment attestation, contradiction detection
• Magic number / hardcoded constant detection in polyglot blocks

Parser & VM Fixes (PR #16)

• ?? null coalescing now works inside match arms
• Bare identifier keys in dict literals ({key: value})
• VM compiler skips governance on imported module functions (matches tree-walker)

Gorilla Tests

• naab-24 through naab-26_h compliance rule engine test suites

Test Suite

• 391 tests (332 pass, 48 error-behavior, 11 tree-walk only, 1 pre-existing)

Full Changelog: v1.6.0...v1.7.0

What's Changed

• feat: libnaab-governance C API for agent framework integration by @b-macker in #12
• fix: resolve critical issues in libnaab-governance platform by @b-macker in #13
• Round 2 security fixes + TAG_ENUM string conversion by @b-macker in #14
• fix: module governance propagation, must_call contracts, scanner hardening by @b-macker in #15
• fix: null coalesce in match arms, VM module governance, gorilla tests 26_f-h by @b-macker in #16

Full Changelog: v1.6.0...v1.7.0

v1.6.0 — BSD Decay, Expanded Adversarial Tests, govern.json Timeout Fix

What's New

Behavioral Sequence Detection: Decay Timers

BSD patterns now support decay_seconds — a wall-clock timer that resets pattern state after a configured interval. Useful for patterns that should only fire when steps happen in close succession.

{
  "name": "credential_exfiltration",
  "sequence": ["env.get:*KEY*", "encode|base64", "agent.send"],
  "level": "hard",
  "decay_seconds": 30
}

Gorilla Test #12 Expanded: 49 Tests

The adversarial agent test suite expanded from 30 to 49 tests across 12 phases, covering:

• Telemetry JSONL schema validation
• governance_notices semantics (negative tests — BSD does not pollute this field)
• checkSecrets() response scanning (JWT, hardcoded passwords)
• BSD decay mechanics (immediate block vs. post-decay pass)
• agent.batch() structure and empty-batch edge cases
• Soft-block behavior and agent.check() negative paths

Bug Fix: limits.execution.timeout_seconds Now Respected

govern.json's limits.execution.timeout_seconds was silently ignored — the runtime always used the 30s default or the --timeout CLI flag. Fixed in two places:

• governance_config.cpp: limits.execution.timeout_seconds now wires to rules_.runtime.timeout
• main.cpp: govern.json timeout is now authoritative; --timeout can extend but not override it

Agent Dispatch

• agent_dispatch.max_concurrent increased to 4 for agent.batch() tests
• Per-agent timeout_seconds configurable independently from script execution timeout

Full Changelog: v1.5.0...v1.6.0

v1.5.0

Full Changelog: v1.4.0...v1.5.0

v1.4.0 — Governed AI Agents

Highlights

use agent stdlib module — governed LLM conversations with multi-provider support (Anthropic Claude + Google Gemini).

What's New

• Governed agent conversations: agent.create(), agent.send(), agent.run(), agent.messages(), agent.usage()
• Per-agent governance: max_turns, max_tokens, max_total_tokens, system_prompt — all configured in govern.json
• Per-agent sandbox config: allowed_paths, blocked_paths, shell_allowed (advisory, pending tool execution support)
• Output content filtering: 18 secret patterns + 5 PII patterns scanned on every LLM response
• Server-side AgentTracker: turn/token enforcement immune to handle dict mutation attacks
• Tool-use response blocking: agents cannot invoke function calls (defense-in-depth)
• Forged handle rejection: constructed handle dicts rejected at send time
• 20 stdlib modules total, 387+ tests

Security

• Agent output filtering blocks leaked secrets and PII in LLM responses
• Server-side tracking prevents governance bypass via handle mutation
• Bypass flags removed from all governance error messages (enforced by test_error_msg_leaks.sh)
• 10+ governance gap fixes from adversarial Gemini session scanning

Also in this release

• \x / \e string escapes, Gate 11b (main body hash), array.get() safe access
• PROJECT_SETUP.md bootstrapping guide, CLAUDE.md internal reference
• 15+ DX improvements, 5 governance hardening fixes from Synapse analysis

Full Changelog: v1.3.0...v1.4.0

v1.3.0

Full Changelog: v1.2.0...v1.3.0

v1.2.0

Full Changelog: v1.1.0...v1.2.0

v1.1.0

Full Changelog: v1.0.0...v1.1.0

NAAb v1.0.0 — First Stable Release

NAAb v1.0.0 — First Stable Release

A polyglot programming language with embedded governance. Write Python, JavaScript, Rust, C++, Go, and 7 more languages inside .naab files, with a governance engine that enforces security, quality, and style rules at execution time.

Highlights

• Bytecode VM — Default engine, ~8x faster than tree-walker
• 19 stdlib modules — array, string, math, json, http, file, path, time, debug, env, csv, regex, crypto, log, uuid, validate, process, io, bolo
• 12 polyglot executors — Python, JavaScript, Rust, C++, Go, C#, Ruby, PHP, Shell, Nim, Zig, Julia
• Governance v4.0 — 50+ checks, 3-tier enforcement (hard/soft/advisory), shadow taint tracking
• Code quality scanner — 127 checks, SARIF/JUnit/JSON output
• Package manager — GitHub-based with SHA-256 integrity verification
• LSP server — Diagnostics, code actions, rename, workspace symbols
• 204 error messages with "Did you mean?" suggestions
• 384 regression tests passing

Security

24 security hardening rounds (R1–R24), 60+ findings fixed across interpreter, VM, governance engine, package manager, LSP, REST API, and stdlib.

Building

git clone https://github.com/b-macker/NAAb.git
cd NAAb && mkdir build && cd build
cmake .. && make naab-lang -j$(nproc)

See INSTALL.md and CHANGELOG.md for details.

Full Changelog: v0.9.0...v1.0.0

v0.9.0 — Security Hardening & Parser Fixes

What's New

45 commits since v0.8.1, focused on security hardening, parser correctness, and Windows subprocess lifecycle.

Security (R8–R25, 17 audit rounds)

• 60+ vulnerabilities fixed across governance, runtime, API, LSP, and VM
• Token-bucket rate limiting for REST API (--api-rate-limit)
• Atomic file ops with O_NOFOLLOW to prevent symlink TOCTOU
• Bounded reads with 10MB cap to prevent OOM
• Per-request API timeout with --api-timeout
• Lockfile HMAC-SHA256 signatures (NAAB_LOCK_KEY)
• Case-insensitive env var blocking (LD_PRELOAD, PATH, etc.)
• Safe regex compilation with pattern analysis
• Scanner symlink guard + per-agent shell enforcement
• Nested container taint propagation + async FFI taint preservation
• ErrorSanitizer wired to all error output paths
• Fail-closed governance default (exit 4 when no govern.json)
• Unconditional polyglot output tainting

Parser & VM

• Function hoisting: functions, structs, and enums declared after main {} are now parsed correctly
• VM compiler: dotted module paths (use modules.X) bind to the correct name
• Duplicate main {} detection with helpful error message

Windows

• Subprocess hardening: Job Object with KILL_ON_JOB_CLOSE, polling wait with timeout, narrowed handle inheritance via STARTUPINFOEXA, RAII cleanup
• Ctrl-C handler: graceful shutdown on first Ctrl-C, force-kill on second
• Cancellable timer threads (generation counter prevents stale timer poisoning)
• Fixed windows.h macro collisions (OUT, STRICT)

Tests

• 381 total tests, 326 pass (Linux), 0 unexpected failures
• 25+ new security test scripts

What's Changed

• build(deps): bump brace-expansion from 1.1.12 to 1.1.13 in /vscode-naab by @dependabot[bot] in #10

Full Changelog: v0.8.1...v0.9.0

What's Changed

• build(deps): bump brace-expansion from 1.1.12 to 1.1.13 in /vscode-naab by @dependabot[bot] in #10

Full Changelog: v0.8.1...v0.9.0