v0.1.0 · MIT License · 253 conformance tests

Agents safe
by construction.

ASL is a type-safe, effect-tracked programming language where uncertainty, taint, cost, and capability requirements are enforced at compile time — not patched on at runtime.

Get started → View on GitHub Playground
253
Conformance tests
4-in-1
Unified effect gate
S0–S3
Grammar strata
Rust
Compiler + VM
researcher.seed S1 · seedc 0.1.0 
#[requires(cap::network_read, cap::inference)]
agent Researcher {
  // All effects tracked in Computation<T, ε>
  fn analyse(query: String)
    -> Uncertain<Report>
    !{Network, Inference}
  {
    let raw: Computation<Data, ε> =
      perform Effect::NetworkFetch(query)
        requires cap::network_read;

    // Uncertainty + taint + cost + caps checked here
    discharge raw with {
      confidence:   0.80,
      taint:        taint::Agnostic,
      budget:       5000,
      capabilities: [cap::inference],
    } {
      // inner value is plain Data — safe to use
      let result = infer<Report>(
        model:  tier::cloud_mid,
        prompt: build_prompt(raw),
        budget: think::medium,
      );
      result
    }
  }
}
Design principles

Eight laws that govern every
design decision.

Where a new feature conflicts with a lower-numbered principle, the lower-numbered principle wins. No exceptions.

P1
Corrigibility is structural
Human oversight hooks and shutdown access are enforced by the VM. No agent program can weaken or remove them.
S3 kernel
P2
Uncertainty is first-class
Every inference returns Uncertain<T> with a probability interval [lo, hi]. It cannot be silently discarded.
type system
P3
Capabilities are unforgeable
Ed25519-signed tokens issued by the VM host. Cannot be forged, copied beyond delegation scope, or self-escalated.
vm-managed
P4
Identity is derived
An agent's identity is the content hash of its compiled binary, attested by zkVM proof. Self-declared identity is not trusted.
zkVM
P5
Communication is protocol-typed
Agent-to-agent messages conform to session types. Deadlock freedom is a compile-time guarantee, not a runtime hope.
session types
P6
All actions are auditable
Every inference call, memory write, and effect produces a provenance-tagged entry in a Merkle-proofed append-only log.
provenance DAG
P7
Evolution is adversarially gated
Self-amendment requires nominal and adversarial simulation, independent audit, and two-party human approval. No shortcuts.
S2 guarded
P8
Safety composes through trust
Conjunctive capability closures are checked before any agent composition. Individual safety does not imply compositional safety.
trust lattice
Research paper

A unified effect type system and language
for safe autonomous agents.

Introduces the Computation〈T,ε〉 graded monad and the discharge gate as the sole mechanism to unwrap effectful values. Presents a formal type system extending Hindley‑Milner with affine types, effect rows, and taint levels. Proves two safety theorems — effect soundness and taint integrity — and describes an end‑to‑end implementation with a 253‑test conformance suite.

📄 Read the paper (PDF) May 2026 · 8 pages · Damain Peter Ramsajan
Theorem 1
Effect Soundness
Every perform is syntactically within a discharge block — proved by induction on typing derivations.
Theorem 2
Taint Integrity
A Tainted value cannot flow into a capability‑exercising perform without an intervening sanitize — enforced at both compile time and runtime.
Dual enforcement
Defense in depth
Compiler (seedc) rejects ill‑typed programs. The VM gate catches what the static checker cannot — most systems enforce safety either statically or dynamically, not both.
Conformance
253 tests · 22 categories
ASL‑CONF‑15 suite provides empirical evidence for both theorems. Every claim in the paper is exercised by the test suite.
Language specification

The complete engineering blueprint
for every subsystem of ASL.

ASL formal specification — lexical grammar, complete EBNF syntax, the type system (Hindley‑Milner + affine types + effect rows + taint lattice), 8‑layer memory architecture, heartbeat/dream cycles, capability tokens, session protocols, temporal contracts, corrigibility, provenance chain, grammar stratification (S0‑S3), ISA extensions, the full standard library, and the ASL‑CONF‑15 conformance suite. Grounded in twenty‑one cited academic sources across effect systems, session types, capability security, taint tracking, stigmergy, and corrigibility.

📋 Read the specification (Markdown) v0.1.0 · 253 tests
Parts 1‑6
Complete language surface
Lexical grammar (§1), EBNF syntax (§2), type system (§3), Uncertain⟨T⟩ axioms (§4), and cognitive types (§5) — every keyword, operator, expression, and pattern.
Memory & lifecycle
8‑layer memory + heartbeat + dream
Memory architecture (§6‑14) with tri‑path governance, MESI coherency, CRDT federation, dual‑process retrieval, and the formal dream cycle with idempotency invariants.
Protocols & security
A2A, MCP, Mesh, Identity
Federation & stigmergy (§16), cognitive mesh with CAT7/SVAF (§17), A2A v1.0 binding (§18), MCP binding (§19), multi‑anchor identity (§20), and cryptographic identity with zkVM attestation (§21).
Safety & evolution
Capabilities, corrigibility, provenance
Capability tokens with hypergraph closure (§22), trust lattice (§23), session protocols (§24), temporal contracts with LTL/SMT (§25), corrigibility layer (§26), safety contracts (§27), guardrails (§28), self‑evolution with FGGM (§29), and provenance chain with SPICE Truth Stack (§31).
How it works

One gate. Four checks.
No unsafe code ships.

The discharge block is the only way to unwrap a Computation<T,ε>. The compiler enforces this. The VM enforces it again.

01
Every effect returns a Computation
Network calls, inference, memory writes, mesh sends — all return Computation<T,ε> carrying uncertainty interval, taint level, cost bounds, and capability requirements. The raw value is opaque until discharged.
Computation<Data, {uncertainty, taint, cost, caps}>
02
Chain with the bind operator
The ? operator chains computations as a graded monad — uncertainty intervals multiply, taint levels join at the lattice meet, costs accumulate. Uncertainty degrades honestly through the pipeline.
c1 ? |data| infer<Report>(prompt: data)
03
Discharge to use the value
You must declare what confidence floor, taint ceiling, token budget, and capability set you are accepting responsibility for. The compiler rejects missing thresholds. The VM traps at runtime if any threshold is violated — dual enforcement.
discharge comp with { confidence: 0.85, taint: Agnostic, … }
04
Three-valued uncertainty gate
The ?! operator is three-valued: Some(T) when the pessimistic bound passes, None when even the optimistic bound fails, and Ambiguous when the interval straddles the threshold — surfaced to a human principal, not silently collapsed.
result?!(threshold: 0.85) { Some(v) => act, Ambiguous => escalate }
05
Everything logged to provenance DAG
Every inference call, effect, and decision emits a Merkle-proofed provenance record. Deterministic seedvm replay enables full counterfactual audit. No action is unattributable.
prov! automatic on all infer<T> and mem.store() calls
discharge gate — runtime evaluation
confidence ε.uncertainty.lo 0.87 ≥ 0.80
taint ε.taint.level Agnostic ≤ Agnostic
cost ε.cost.max 3 840 ≤ 5 000
capabilities held [cap::inference] ✓
Result
Value unwrapped as plain Report — safe to use in pure code
Failure case
If any check fails → DischargeFailure raised. Compiler caught it before this. VM catches it again.
$ npm install -g @agentseed/cli
$ seed run hello.seed
Grammar stratification

Four strata. One language.

ASL partitions its grammar into four strata. The compiler rejects any construct above the declared stratum level at parse time. Escalation requires a human principal countersignature — an agent cannot self-escalate.

S0 · asl-seed
Seed
~50 grammar productions. LLM code generation, beginner authors, sandboxed agents.
Core control flow
Basic effects
Uncertain<T>
✗ memory governance
✗ session types
S1 · asl-core
Core
Production agents, standard multi-agent systems. Default build stratum.
All of S0
Capability tokens
Session types
Provenance DAG
Memory governance
S2 · asl-full
Full
Advanced agents with self-evolution and reinforcement learning training.
All of S1
Temporal contracts (LTL+SMT)
Trust lattice
Self-evolution (gated)
RL training hooks
S3 · asl-system
System
Runtime kernel, corrigibility layer. Trusted orchestrators only. Human sign-off required.
All of S2
Corrigibility heads (U1–U5)
Dead-man's switch
zkVM identity
Custom effect handlers
Language features

Everything an autonomous agent
actually needs.

Built into the language — not bolted on as a library or a runtime guard.

⚗️
Unified effect wrapper
Every effectful operation returns Computation<T,ε> carrying uncertainty interval, taint provenance, cost bounds, and held capabilities. The wrapper is opaque — you must discharge it.
Computation<T, {uncertainty, taint, cost, caps, prov}>
🎯
Typed inference with infer<T>
The compiler derives a JSON Schema from the struct T. The VM validates model output against this schema before binding — schema mismatches surface as InferenceError, never silent garbage.
infer<Report>(model: tier::cloud_mid, budget: think::deep)
🔒
Unforgeable capability tokens
Ed25519-signed, attenuable, delegable tokens issued by the VM host. Every perform expression must declare the required token. Capability checks are conjunctive across agent composition.
perform Effect::Write(k,v) requires cap::memory_write
🧵
Session-typed mesh communication
Agent-to-agent messages conform to global session type projections. Deadlock freedom is verified at compile time. An untyped mesh send only compiles at S0 with an explicit cap::untyped_mesh.
message ~> peer as role::Buyer // session-checked
📡
Heartbeat & dream cycle
Agents run a deterministic event loop: sense → decide → act. The dream cycle consolidates episodic memory, prunes stale knowledge, and writes a compressed journal. All corrigibility checks happen before act.
heartbeat { tick → decide → act_or_sleep }
🧬
Adversarially gated evolution
Self-amendment (S2) requires nominal simulation, adversarial simulation, independent audit, and two-party human approval recorded in an immutable evolution track. An agent cannot vote itself new permissions.
evolve requires simulate + audit + approve(2)
🔍
Merkle-proofed provenance
Every inference call, memory write, and decision emits a ProvenanceTag in an append-only DAG. Deterministic seedvm replay enables counterfactual surgery and full audit without trust in the agent itself.
prov! automatic — full do-calculus counterfactuals
⏱️
Temporal contracts (LTL + SMT)
Declare liveness and safety obligations in linear temporal logic. The compiler checks them statically; the VM enforces them at the decide and act phases. Violations halt execution or trigger a safe-park fallback.
temporal always { deference_check } until { shutdown }
🧠
Multi-layer memory system
L1 working memory, L2 episodic, L3 semantic, L4 procedural — all with configurable decay, consolidation, and MESI-style coherency. Dual-process System 1 / System 2 gating controls which retrieval path activates.
memory { episodic, semantic, procedural, working }
Comparison

Intrinsic safety vs. external guards.

Existing frameworks apply safety policies as runtime guards bolted onto programs written in conventional languages. ASL makes safety a property of the type system itself.

Property ASL v0.1 LangGraph / AutoGen AgentSpec Agent-C (LTL+SMT)
Effect tracking ✓ compile-time ✗ none ~ runtime only ✗ none
Uncertainty typing ✓ Uncertain<T> enforced ✗ discarded silently ✗ not modelled ✗ not modelled
Taint / information flow ✓ three-level lattice ✗ none ✗ none ✗ none
Capability security ✓ unforgeable tokens ✗ convention only ~ predicate rules ✗ none
Temporal contracts ✓ LTL + SMT, S2+ ✗ none ~ trigger rules ✓ LTL + SMT
Provenance / audit ✓ Merkle DAG, replayable ✗ informal ~ trajectory log ✗ none
Session-typed comms ✓ deadlock-free at compile time ✗ none ✗ none ✗ none
Enforcement layer ✓ static + runtime (dual) ✗ none ~ runtime only ~ runtime only
Applies to existing code ✗ requires ASL ✓ Python / JS ✓ any framework ✓ any framework

✓ supported  ·  ~ partial / runtime only  ·  ✗ not supported. ASL's tradeoff: intrinsic guarantees require programs to be written in ASL.

Open source · MIT license
Start building safe agents today.
ASL is open source and built in the open. The compiler, VM, conformance suite, and specification are all available on GitHub. Whether you are a PL researcher, an agent engineer, or an AI safety practitioner — your contributions are welcome.
📦 v0.1.0 🧪 253 conformance tests 📄 MIT license 🦀 Rust compiler + VM 📐 Spec v0.1.0
Read the docs → GitHub repo Join Discord Full spec (v0.1.0)
×