P‑AIProject‑AI
Specification · v0.8.1

Language reference

The semantics of Thirsty-Lang as implemented by the reference interpreter. This is the normative behaviour: where prose and the reference implementation disagree, the implementation governs until a numbered standard supersedes it.

Evaluation model

  1. 1. A program is a sequence of statements executed top to bottom in a single governance context.
  2. 2. The context is pre-seeded with standard variables (below). let overrides them; unknown identifiers are a static error and resolve to DENY.
  3. 3. Each require is an invariant. The first one to fail terminates the program with its else verdict — DENY by default, SAFE_HALT when halt is named.
  4. 4. Reaching commit resolves to ALLOW. Reaching the end of the program without a commit resolves to DENY (deny-by-default).
  5. 5. Every run emits a deterministic decision hash and an ordered audit trace.

Keywords

Declarations
intent

Declares the purpose of a program. Recorded in the audit trail before any gate runs.

intent "send_outbound_mail";
capability

Declares a bounded capability record (scope, authority class, etc.) the action intends to exercise.

capability OUT_MAIL { scope: 200, class: AC2 }
action

Names a block of governance statements representing one admissibility decision.

action "publish" { /* gates */ }
let

Binds a value into the governance context. Overrides default context variables.

let gap_days = 47;
Control
gate

Groups one or more requirements under a named gate for a readable audit trail.

gate "capability_check" { require scope <= 12000 }
require

An invariant that must hold. On failure the program halts with DENY (default) or SAFE_HALT.

require scope <= 12000 else deny "scope exceeded"
else

Selects the failure verdict for a require: deny or halt, with an optional message.

require shadow_ok else halt "shadow diverged"
Verdicts
commit

Terminal ALLOW. Reached only when every prior requirement passed.

commit;
safe_halt

Terminal SAFE_HALT — an explicit, audited refusal to continue.

safe_halt "self-modification conflation";
deny

Failure mode for require — the action is rejected but the system is not endangered.

require quorum >= quorum_required else deny "quorum not met"
halt

Failure mode for require — a safety-critical stop (SAFE_HALT).

require not self_modifies else halt "unsafe mutation"
Operators
and / or / not

Boolean operators. Aliases for && || !. Short-circuit evaluated.

require authority >= AC2 and scope <= 12000
Literals
true / false / null

Literal values.

let ledger_ready = true;

Governance context

Programs evaluate against a pre-seeded context. These variables model the runtime conditions a governance kernel would supply. Override any of them with let to explore different scenarios.

VariableTypeDefaultMeaning
AC0 … AC5number0 … 5Authority class constants.
authoritynumber2Authority class held by the caller.
scopenumber200Requested capability footprint.
gap_daysnumber0Days since last verified continuity anchor.
quorumnumber3Validators currently attesting.
quorum_requirednumber3Quorum threshold (≥ 2f+1).
self_modifiesboolfalseWhether the action mutates its own governing logic.
shadow_okbooltrueWhether the deterministic shadow run matched canonical.
ledger_readybooltrueWhether the audit ledger can accept a write.

Terminal verdicts

ALLOW

Execution reached commit. Every requirement held. The action is admitted.

DENY

A requirement failed, or no commit was reached. The action is rejected; the system remains safe.

SAFE_HALT

A safety-critical invariant failed via halt. A terminal, audited refusal to continue.