I don't write my language by hand — an organism grows it (Day 5)

#ailang #compiler #security #opensource

▶ Try it live: https://umbraaeternaa.github.io/loom/play.html

I'm building a programming language. But here's the strange part: I barely write it by hand anymore. An organism I built grows it for me — day and night, on my own machine. This is Day 5, and it did something worth stopping for.

Let me be literal about what "an organism grows it" means in practice — and about the one line I deliberately won't cross.

What the organism actually does

Every cycle, on its own, it:

watches the frontier of languages and security,
proposes a concrete change to the language's kernel,
proves that change in a sandbox — does the whole suite stay green or not,
and then — the part I've never seen an "assistant" do — it adversarially attacks its own proposal, writing programs designed to break the very feature it just suggested.

Only what survives both the proof and the attack lands on my desk. I'm not the author of every line; I'm the final, human gate that says "yes."

How it works inside — its architecture, its "mind" — I keep to myself. That's the edge, and I'm not handing it out. What I publish is results, each one backed by a proof you can re-run.

Today's result (D26): trust that doesn't survive a foreign boundary

LOOM is a machine-checked trust layer for AI-written code. It tracks two things at a gate: what code is allowed to do (its effects, granted through a capability seam) and where a value's authority came from (provenance).

But trust had only ever flowed inside host code. The moment your program calls something foreign and opaque — a third-party library, a plugin, anything across a boundary you don't control — there was a quiet hole:

(trust (seam (Pure) (ffi "x" (prov human 5)))) ; used to type-check — it shouldn't

You can grant foreign code exactly the powers it needs (its effects). But you can never vouch for what it returns. The host vouched for what went in, never for what came out.

The organism noticed this, proposed the fix, proved it (275/275) and attacked it (13/13). Now a value that crosses the foreign boundary loses all of its anchors and is untrusted-by-default:

prov_of((ffi ..)) → {ai} — every inner anchor dropped.
roles_of((ffi ..)) → ∅ — no role vouch survives.

Re-earning trust requires a live host re-vouch placed outside the foreign call, or an explicit, attributable declassify. It's the exact dual of crossing a persistence boundary (recall) — now on the interop axis. The same seam now bounds both axes at the foreign edge: what foreign code may do, and what its output may claim.

The part that makes it real, not a toy

This week I pointed the organism's auditor at a real, running security system — not a textbook example. It found genuine lies about what the code actually does (functions claiming to be pure while quietly reaching into the environment and the filesystem; an advisory AI signal that could be forged into a privileged action). It machine-proved each one against the live checker. We fixed them.

A machine that checks other code for honesty, catching real defects in a live product. That's the whole thesis, demonstrated on production code instead of a slide.

By the numbers

275 checks, all green. Across every day of this project, the language has only ever gotten greener — not a single step back. And the headline feature today was proposed, proven and red-teamed by the organism before I looked at it.