Language reference
The semantics of Thirsty-Lang as implemented by the reference interpreter. This is the normative behaviour: where prose and the reference implementation disagree, the implementation governs until a numbered standard supersedes it.
Evaluation model
- 1. A program is a sequence of statements executed top to bottom in a single governance context.
- 2. The context is pre-seeded with standard variables (below).
letoverrides them; unknown identifiers are a static error and resolve to DENY. - 3. Each
requireis an invariant. The first one to fail terminates the program with itselseverdict — DENY by default, SAFE_HALT whenhaltis named. - 4. Reaching
commitresolves to ALLOW. Reaching the end of the program without a commit resolves to DENY (deny-by-default). - 5. Every run emits a deterministic decision hash and an ordered audit trace.
Keywords
intentDeclares the purpose of a program. Recorded in the audit trail before any gate runs.
intent "send_outbound_mail";
capabilityDeclares a bounded capability record (scope, authority class, etc.) the action intends to exercise.
capability OUT_MAIL { scope: 200, class: AC2 }actionNames a block of governance statements representing one admissibility decision.
action "publish" { /* gates */ }letBinds a value into the governance context. Overrides default context variables.
let gap_days = 47;
gateGroups one or more requirements under a named gate for a readable audit trail.
gate "capability_check" { require scope <= 12000 }requireAn invariant that must hold. On failure the program halts with DENY (default) or SAFE_HALT.
require scope <= 12000 else deny "scope exceeded"
elseSelects the failure verdict for a require: deny or halt, with an optional message.
require shadow_ok else halt "shadow diverged"
commitTerminal ALLOW. Reached only when every prior requirement passed.
commit;
safe_haltTerminal SAFE_HALT — an explicit, audited refusal to continue.
safe_halt "self-modification conflation";
denyFailure mode for require — the action is rejected but the system is not endangered.
require quorum >= quorum_required else deny "quorum not met"
haltFailure mode for require — a safety-critical stop (SAFE_HALT).
require not self_modifies else halt "unsafe mutation"
and / or / notBoolean operators. Aliases for && || !. Short-circuit evaluated.
require authority >= AC2 and scope <= 12000
true / false / nullLiteral values.
let ledger_ready = true;
Governance context
Programs evaluate against a pre-seeded context. These variables model the runtime conditions a governance kernel would supply. Override any of them with let to explore different scenarios.
| Variable | Type | Default | Meaning |
|---|---|---|---|
| AC0 … AC5 | number | 0 … 5 | Authority class constants. |
| authority | number | 2 | Authority class held by the caller. |
| scope | number | 200 | Requested capability footprint. |
| gap_days | number | 0 | Days since last verified continuity anchor. |
| quorum | number | 3 | Validators currently attesting. |
| quorum_required | number | 3 | Quorum threshold (≥ 2f+1). |
| self_modifies | bool | false | Whether the action mutates its own governing logic. |
| shadow_ok | bool | true | Whether the deterministic shadow run matched canonical. |
| ledger_ready | bool | true | Whether the audit ledger can accept a write. |
Terminal verdicts
Execution reached commit. Every requirement held. The action is admitted.
A requirement failed, or no commit was reached. The action is rejected; the system remains safe.
A safety-critical invariant failed via halt. A terminal, audited refusal to continue.