When code is increasingly written by AI, you often can't trust the author. So I'm exploring a different question: instead of trusting who wrote it, can you make what code is allowed to do machine-checkable — and refuse to run anything that lies about it?
That's LOOM: a small (~600-line) s-expression language — a parser, a static effect checker, an interpreter, and backends that compile checked code to Python and JavaScript. It's a research kernel, self-verified by 203 checks that can only ever grow greener.
The slogan: AI proposes, the compiler disposes.
The core
Every function carries an effect row from {Pure, IO, Net, Alloc, FFI, Rand}, and the superset rule holds: declared effects must be a superset of what it actually does. You may over-declare; you may never under-declare (lie).
lisp
(defx greet (IO) (fn (n) (print n))) ; honest: declares IO, does IO -> accepted
(defx sneaky () (fn (n) (print n))) ; lies: declares nothing, does IO -> REJECTED
A capability seam grants authority explicitly — un-wrapped foreign code has none:
(seam (Pure) (ffi "logger" x)) ; the foreign call's I/O is now physically impossible, not just undeclared
The trust layer (the interesting part)
The building blocks above aren't new (Koka, Eff, Unison, OCaml 5). What LOOM explores is the synthesis, framed for the threat model of AI-authored code — where the AI may write the code, the spec it's judged by, and the proof, so it vouches for itself:
Provenance + a trust gate. (prov P e) tags who authored a value; (trust e) refuses a value vouched only by itself; (trust N e) demands N distinct independent (non-ai) anchors — a defense against circular trust.
Roles + a role lattice. (trust (roles code review) e) needs each role covered by a non-ai author and ≥ 2 distinct authors; (sub reviewer auditor) lets a stronger check stand in for a weaker requirement.
Provenance-gated capabilities. (seam (Net) (roles code review) …) grants the dangerous effect only to independently-vouched code; (needs Net review) binds a specific effect to a specific reviewer.
Program-wide policy. (rank …), (require EFF role|N), (forbid EFF) — declare the trust policy once; every gate inherits it.
Provenance taint. Provenance flows through data: a value derived from a (prov ai …) value still counts as ai at a gate, even after it's bound and computed with — across statements.
Run it (no dependencies, pure Python 3)
python3 run_tests.py # PASS — 203/203 citadel checks
python3 loom.py run examples/trust.loom # => 42 (refused without independent anchors)
python3 loom.py run examples/gated.loom # Net granted only to independently-reviewed code
python3 loom.py run examples/taint.loom # => 41 (the value still carries {human, audit} at the gate)
Honest status
This is alpha — a v0 kernel, deliberately tiny, grown incrementally; every feature lands only with an adversarial test that keeps all checks green. Feedback and criticism are very welcome — especially where the model is wrong.
Links & support
Built solo, in the open, from Ukraine 🇺🇦 — no company, no funding, just one person trying to make AI-written code something you can actually trust.
⭐ Code (GitHub): https://github.com/umbraaeternaa/loom
📸 Daily dev log (Instagram): https://instagram.com/umbra_owner_architect_ai
☕ Support the work (Monobank): https://send.monobank.ua/jar/AHaziFXjYX
A ⭐ on the repo helps it reach more people. Thank you.
Top comments (0)