{"slug": "jo-secure-programming-for-the-ai-era", "title": "Jo – Secure Programming for the AI Era", "summary": "Jo, a new statically typed programming language, was introduced today with a design that denies side effects by default and requires explicit, fine-grained capabilities for any authority. The language's compiler checks capability flow through the call graph, making permission confinement a property enforced by the type system to restrict untrusted code to specific directories, API hosts, or user data. This approach directly addresses the security challenges of AI-generated code, where agents must be granted only the precise capabilities needed for a task without hidden access to filesystems, networks, or other users' records.", "body_md": "# Introducing Jo — Secure Programming for the AI Era \n\nToday we are introducing ** Jo**, a statically typed programming language where side effects are denied by default and authority must be granted explicitly, through fine-grained capabilities checked by the compiler.\n\nModern systems execute plugins, call third-party services, run user-defined workflows, and increasingly ask AI agents to generate and execute code. The security question is no longer only \"is this program correct?\" It is also:\n\nHow do we restrict an untrusted program to only the fine-grained capabilities it has been granted?\n\nJo is designed to make fine-grained permission confinement a property enforced by the type system, at the level of precision real systems need: a specific directory, a single API host, a read-only interface, or only the database rows belonging to the current user.\n\n## The Problem: Ambient Authority \n\nMost mainstream languages make powerful authority available by default. A piece of code can usually reach for the filesystem, environment variables, network, reflection, process APIs, or foreign-function interfaces unless a runtime sandbox stops it.\n\nThat model is convenient, but it is hard to audit. If you want to run a third-party function and guarantee that it can only query a narrow API, not read files or call the network, the language itself usually gives you little help. You end up relying on containers, permissions, code review, convention, or runtime isolation.\n\nJo takes a different route: authority is represented by explicit capabilities, and those capabilities can be as narrowly scoped as the application requires. The compiler tracks which capabilities code may use, so confinement is expressed in interfaces and types rather than hidden in runtime configuration.\n\n## Capability-Based Programming \n\nIn Jo, capabilities are ordinary parameters. They can be passed, refined, substituted, and restricted. A function that has not received a capability cannot use it.\n\nHere is an example:\n\n``` python\ndef foo() = println \"foo\"                     // inferred capability: stdout\ndef bar() = foo()                             // inferred capability: stdout\n\ndef qux() receives IO.stdout = println \"qux\"  // explicit capability: stdout\n\ndef main =\n  allow none in bar()                         // error: stdout not allowed\n  allow IO.stdout in bar()                    // OK\n  with IO.stdout = s => pass in qux()         // redirect output\n```\n\nThe compiler checks capability flow through the call graph. If a function needs `IO.stdout`\n\n, that requirement is visible and controllable. If a call site says `allow none`\n\n, then no hidden authority can slip through.\n\nThis gives Jo the convenience of implicit context without the security cost of ambient globals.\n\n## Why This Matters for AI-Generated Code \n\nAI-generated code makes the authority problem even more acute. If an agent writes a function for your application, you may want it to analyze data and produce a summary, but not access the filesystem, call arbitrary HTTP endpoints, inspect environment variables, or query other users' records.\n\nJo's approach is to grant only the capabilities the code should have:\n\n``` python\n// API library: compiled without FFI support\ninterface OrdersApi\n  def query(lastDays: Int): List[Order]\nend\n\nparam ordersApi: OrdersApi\n\n// AI-generated code\ndef aiMain(): Unit receives ordersApi, IO.stdout =\n  val orders = ordersApi.query(30)\n  summarize(orders)\n```\n\nThe framework can implement `OrdersApi`\n\nusing a real database, but expose only a user-scoped, read-only view to the untrusted code. The AI-generated function does not receive raw database access. It does not receive network access. It does not receive filesystem access. The type checker enforces that boundary before the program runs.\n\nThis is the core idea behind Jo: make authority confinement a programming model.\n\nThe [Two-World Architecture](./../security/two-worlds.html) page describes this model in detail, and [Secure Language Design](./../security/language-design.html) covers the language facilities — capability parameters and authority attenuation — that make confinement practical.\n\nFor a concrete example, see the [data-query agent demo](https://github.com/typescope/jo/tree/main/demos/data-query-agent), which shows how an agent can ask flexible questions over a database while being statically restricted to the current user's data.\n\n## A Language, Not Just a Policy System \n\nJo is also intended to be pleasant as a general-purpose language. It combines object-oriented and functional programming with a compact syntax, type inference, classes, interfaces, algebraic data types, pattern matching, and context parameters.\n\nFor example, Jo has reusable pattern predicates:\n\n```\npattern Positive: Partial[Int] = case x if x > 0\npattern Even: Partial[Int] = case x if x % 2 == 0\n\nmatch n\n  case Positive & Even => \"positive even\"\n  case Positive        => \"positive odd\"\n  case _               => \"non-positive\"\n```\n\nAnd union types with pattern matching:\n\n```\nunion Shape =\n    Circle(radius: Float)\n  | Rectangle(w: Float, h: Float)\n\ndef area(shape: Shape): Float =\n  match shape\n    case Circle r => 3.14 * r * r\n    case Rectangle w h => w * h\n```\n\nJo's design philosophy is to combine strong security guarantees with programmer happiness. Security should not require fighting the language, writing boilerplate, or moving essential reasoning into deployment configuration. The goal is to make secure programming feel natural, expressive, and auditable.\n\nJo is designed for both programmers and security reviewers. Capability boundaries are expressed in interfaces and types, so the authority a program receives is visible at the API boundary rather than scattered through implementation details or deployment configuration. This makes security auditing simpler: reviewers can inspect what capabilities are granted, where they flow, and where they are deliberately restricted.\n\n## Formal Foundations \n\nJo's design is grounded in λCC (*Lambda-CC*), a minimal calculus of contextual capabilities with a soundness proof mechanized in Coq.\n\nThe full paper and Coq development are at [github.com/typescope/contextual-capability](https://github.com/typescope/contextual-capability).\n\n## Current Status \n\nJo is early-stage software, but it is already substantial: the compiler has an extensive test suite, and the core capability model is ready for serious experimentation. The language design, standard library, and tooling are still evolving.\n\nWe encourage security-focused teams to evaluate Jo for new projects, prototypes, internal tools, and constrained production use cases where existing technologies cannot provide the authority confinement they need. For critical deployments, start small, audit the capability boundaries carefully, and expect the language and tooling to evolve.\n\n## Development \n\nJo is developed by [TypeScope](https://typescope.ai/), a company focused on making secure programming practical. We are building Jo as long-term infrastructure: a language, compiler, standard library, documentation, and ecosystem designed to grow steadily over many years.\n\nOur ambition is high: to make Jo one of the best languages for writing security-critical software, and to make secure programming feel natural rather than burdensome.\n\nJo is open source under the Apache License 2.0. The repository is available at [github.com/typescope/jo](https://github.com/typescope/jo).\n\nThe project welcomes people interested in language design, capability-based security, secure AI systems, compilers, and practical type systems. We especially want feedback on the security model, ergonomics, and real-world use cases.\n\n## Learn More \n\nStart with the [Language Tour](./../overview/language-tour.html) for the language surface, or read [Two-World Architecture](./../security/two-worlds.html) for the security model in more detail. For installation, see the [install guide](./../usage/install.html).\n\n## Feedback \n\nWe welcome feedback from language designers, security engineers, compiler engineers, and developers building agentic systems. For concrete bugs or issues, open an issue on [GitHub](https://github.com/typescope/jo). For community discussion, join [r/jolang](https://www.reddit.com/r/jolang/). Security reports should follow the process in the repository's [SECURITY.md](https://github.com/typescope/jo/blob/main/SECURITY.md).\n\nIf the core idea resonates with you, follow the project, try the examples, and join the discussion. Jo's mission is simple: make secure programming a joy.", "url": "https://wpnews.pro/news/jo-secure-programming-for-the-ai-era", "canonical_source": "https://jo-lang.org/blog/2026-06-04-introducing-jo.html", "published_at": "2026-06-05 00:56:04+00:00", "updated_at": "2026-06-05 01:47:29.618860+00:00", "lang": "en", "topics": ["ai-safety", "ai-agents", "ai-tools"], "entities": ["Jo"], "alternates": {"html": "https://wpnews.pro/news/jo-secure-programming-for-the-ai-era", "markdown": "https://wpnews.pro/news/jo-secure-programming-for-the-ai-era.md", "text": "https://wpnews.pro/news/jo-secure-programming-for-the-ai-era.txt", "jsonld": "https://wpnews.pro/news/jo-secure-programming-for-the-ai-era.jsonld"}}