Rust gives you mathematical rigor at the cost of cognitive load. Ruby gives you conversational beauty at the cost of runtime surprise. Garnet gives you both — within a single coherent language whose mode boundary is the reconciliation.
Mathematical correctness. Memory discipline. Zero-cost abstractions. Performance to the metal.
But — cognitive load, lifetimes-as-mental-stack, ceremony.
Managed mode (def + ARC + exceptions) feels Ruby-like. Safe mode (@safe + fn + ownership + Result) feels Rust-like.
The mode boundary auto-bridges errors and ARC ↔ affine.
Conversational beauty. High velocity. Joyful to read, fast to write. DSLs flow.
But — ambient authority, runtime surprise, no compile-time net.
Every team eventually picks: Rust for the hot path, Ruby for the orchestration, and writes a painful FFI between them. Or picks one language and swallows its weakness.— The Reconciliation, Paper III §1
Garnet's dual-mode design makes the same source file velocity-first at the top level and rigor-first in the safe modules — with no FFI in between.
Capability security, bounded execution, and signed provenance are well-precedented — Pony and Austral, Wasmtime and eBPF, Sigstore and SLSA each do a piece well. Garnet's bet is the integration, not the parts: no existing language combines capability annotations, bounded execution, sealed provenance, and capability-surface diffing, targeted at agent-authored code.— Positioning, honest: integration over pillar-by-pillar novelty
The headline is diff-caps: when a dependency or an agent's PR changes what authority the code can exercise, Garnet answers "what new authority am I granting?" in one screen — turning the review bottleneck (the binding constraint on accepting AI-written code) into a machine-checkable diff. That is the part with no cross-language equivalent, and the reason a new language — not a linter — is warranted.
Switch between examples to see how Garnet inherits Rust's shape and Ruby's brevity. The keyword chooses the register: def = managed, fn = safe.
fn greet(name: &str) -> String { format!( "Hello, {}!", name) }
def greet(name) "Hello, #{name}!" end
# Managed — Ruby feel def greet(name) { "Hello, #{name}!" } # Safe — Rust rigor @safe fn greet( borrow name: String) -> String { "Hello, #{name}!" }
fn read_config( path: &Path) -> Result<Config, io::Error> { let content = fs::read_to_string(path)?; toml::from_str(&content) .map_err(convert_err) }
def read_config(path) content = File.read(path) TOML.parse(content) rescue Errno::ENOENT nil end
@caps(fs) def read_config(path) { try { TOML.parse( fs::read_file(path)) } rescue e: FileNotFound { nil } }
let names: Vec<String> = users.iter() .filter(|u| u.active) .map(|u| u.name.clone()) .collect();
names = users .select(&:active) .map(&:name)
# Pipeline style let names = users |> filter(|u| u.active) |> map(|u| u.name) # Ruby block style let names = users .filter do |u| u.active end .map do |u| u.name end
use some_vector_db::*; use some_episodic_log::*; struct Agent { events: EventLog<Event>, facts: VectorStore<Fact>, } impl Agent { // ...setup ceremony... }
class Agent def initialize @events = [] @facts = {} end def remember(e) @events << e end end
actor Agent { memory episodic events : EpisodeStore<Event> memory semantic facts : VectorIndex<Fact> protocol remember(e: Event) -> Bool protocol recall(q: String) -> Array<Fact> on remember(e) { events.append(e); true } }
These are not libraries. They are first-class language constructs — checked at compile time, integrated through the whole toolchain, designed to compose.
Same grammar, two registers. Managed mode (def) reads like Ruby. Safe mode (@safe fn) reads like Rust. The boundary auto-bridges errors + ownership.
Every managed↔safe call is logged via ModeAuditLog. Reviewers read one file to enumerate every trust crossing in the program.
Every function declares its OS-authority budget. CapCaps propagator verifies transitively at compile time — no ambient authority, ever.
First-class memory working|episodic|semantic|procedural keywords. The runtime picks the allocator. Paper VI Contribution 4.
actor.reload_signed(&sig, ...) with BLAKE3 schema fingerprint catches type mismatches. Zero message loss at 1000 cycles.
garnet build --deterministic --sign emits a byte-identical manifest plus Ed25519 signature. Verify any binary you downloaded.
Garnet is not claiming to replace either parent. This table is positioning, not a benchmark: where each language sits, and what Garnet's dual-mode design buys you. The last row stays deliberately honest.
| Axis | Rust | Ruby | Garnet |
|---|---|---|---|
| Memory safety | Compile-time ownership | Runtime GC | Safe mode: ownership · Managed mode: ARC-managed |
| Cognitive load | High (lifetimes) | Low | Progressive — low in managed, Rust-like in safe |
| Error model | Result<T,E> | Exceptions | Both, auto-bridged at the mode boundary |
| Concurrency | Threads/async, Send+Sync | GVL-limited | Actors + Sendable checking |
| Agent/memory primitives | Library | Library | Language-level (working/episodic/semantic/procedural) |
| Capability control | External crates | External gems | @caps(...) in the language |
| Reproducible builds | Tooling-dependent | Not a goal | Manifest + Ed25519 signature contract |
| Maturity | Production | Production | Research-grade prototype (v0.x.x) — not production-complete |
@caps(fs) is a semantic beacon: a single annotation that front-loads the function's OS-authority budget. Both humans and language models can scan a file and reason about what it can — and cannot — do.
@caps(fs) def get_user_summary(path, id) { let data = JSON.parse( fs::read_file(path)) let user = data["users"][id] "#{user.name}: #{user.email}" } # compile-time error: caps coverage: # function `bad` does not declare # `fs` but transitively calls # `read_file` which requires it @caps() def bad() { fs::read_file("/etc/passwd") }
fs::* primitive.The garnet convert tool is a migration assistant, not a full transpiler: it reads four deterministic source lanes and emits sandboxed Garnet with lineage, metrics, and a human migration checklist.
| Tier | What it means |
|---|---|
| Active conversion Rust · Ruby · Python · Go | Deterministic frontends — carries ownership-like shape, module boundaries, and migration evidence with deterministic behavior. |
| Advisory planning JS · TS · Swift · Java · Perl · Kotlin · Shell · SQL · … | Risk-first migration planning + inventory until deterministic parser/lineage support lands; explicit and human-gated. |
| Native boundary C · C++ · Obj-C · Asm · CUDA · platform | Explicit modules or FFI with CapCaps + sandbox policy where ABI and hardware behavior are source-of-truth. |
Backend Wasm/LLVM-style lowering is planned (pending backend evidence). The fit rule, LLM-advisory review path, and machine-readable adoption surface are detailed in the full conversion policy →
def parse_config(text) text.split("\n").map do |line| k, v = line.split("=", 2) [k.strip, v.strip] end.to_h end
@sandbox @caps() module Config { def parse_config(text) { let out = {} for line in text.split("\n") { let parts = line.split("=", 2) out.insert( parts[0].trim(), parts[1].trim()) } out } }
Adoption surface evidence is machine-readable through scripts/garnet_adoption_surface_status.py. It keeps the provider-neutral prompt pack, provider-option registry, and advisory flow bounded: source classifier -> risk inventory -> Garnet context -> advisory plan -> review handoff -> human-approved candidate -> garnet check/test/dogfood.
The universal installer now targets the v0.8.1 release path. It pulls release packages when they exist, verifies them against SHA256SUMS, and falls back to a source install through cargo install --locked only when no matching release asset exists. The v0.8.1 GitHub Release ships signed garnet-0.8.1-* CLI binaries + a CycloneDX SBOM; detailed productization gates live on the readiness status page.
| Platform | v0.8.1 asset | Current path |
|---|---|---|
| macOS · Apple Silicon | garnet-0.8.1-aarch64-apple-darwin.tar.gz | release tarball; signed .pkg not claimed |
| macOS · Intel | garnet-0.8.1-x86_64-apple-darwin.tar.gz | release tarball; signed .pkg not claimed |
| Linux x86_64 | garnet_0.8.1-1_amd64.deb · garnet-0.8.1-1.x86_64.rpm | release package |
| Linux aarch64 | — no package claimed — | source install |
| Windows | — no package claimed — | source install |
SHA256SUMS):shasum -a 256 --ignore-missing -c SHA256SUMS
# Universal installer: curl --proto '=https' --tlsv1.2 -sSf https://garnet-lang.org/install.sh | sh # Force native release package only: curl --proto '=https' --tlsv1.2 -sSf https://garnet-lang.org/install.sh | GARNET_INSTALL_MODE=release sh # Force source install: curl --proto '=https' --tlsv1.2 -sSf https://garnet-lang.org/install.sh | GARNET_INSTALL_MODE=source sh
# Recommended — universal installer: # uses v0.8.1 CLI tarballs when available and otherwise falls back # to source install. Signed .pkg/notarization is not claimed yet. curl --proto '=https' --tlsv1.2 -sSf https://garnet-lang.org/install.sh | sh # Source install (any arch, needs a Rust toolchain): git clone https://github.com/Island-Dev-Crew/garnet && cd garnet/garnet-cli && cargo install --path . # For Apple distribution evidence, see status.html.
# Recommended — universal installer (SHA256SUMS-verified): curl --proto '=https' --tlsv1.2 -sSf https://garnet-lang.org/install.sh | sh # Published v0.8.1 release assets: # https://github.com/Island-Dev-Crew/garnet/releases/tag/v0.8.1 # Debian/Ubuntu: sudo apt install ./garnet_0.8.1-1_amd64.deb # Fedora/RHEL: sudo dnf install ./garnet-0.8.1-1.x86_64.rpm # Source install (any arch, needs a Rust toolchain): git clone https://github.com/Island-Dev-Crew/garnet && cd garnet/garnet-cli && cargo install --path .
# Supported today — source install (needs a Rust toolchain): git clone https://github.com/Island-Dev-Crew/garnet && cd garnet/garnet-cli && cargo install --path . # Windows package evidence is tracked on status.html.
See it run — the real first-project loop:
$ garnet new --template cli my_app created my_app/ (cli template) $ cd my_app $ garnet test test test_arithmetic ... ok test test_string_interpolation ... ok test result: ok. 2 passed; 0 failed; in 2 file(s) $ garnet run src/main.garnet Edit src/main.garnet to change this message. => 0
After install, scaffold a project:
garnet new --template cli my_app cd my_app garnet test # 2 starter tests pass green garnet run src/main.garnet
New here? Follow the Getting Started walkthrough →
Keeping Garnet updated:
git pull then cargo install --path . for a source build. A first-class toolchain manager — garnet update, stable/nightly channels, and garnet self uninstall — is planned and not yet available. This section will change when it ships; it is listed here so the roadmap is honest, not so the commands look real.
The macOS Studio surface is a source-checkout workbench for real Garnet flows — not a separate product. It runs:
In Codex Desktop, a Codex Run action wires script/build_and_run.sh to build SwiftPM, stage dist/Garnet Studio.app, and launch it.
The Windows/Linux lane now has a separate Tauri v2 shell scaffold under apps/garnet-studio. Windows local proof covers the Vite frontend build, Tauri backend tests, release executable, unsigned NSIS bundle, --studio-smoke Desktop evidence, a Release / Readiness panel wired to the repo-native v0.5 reporters, verified x64 clean-VM installer proof, WSL package/window portability evidence, Studio Domain Proof Matrix shell output, and Release / Readiness shell reporter output. It is still not signed MSI, winget, clean/non-WSL Linux desktop GUI launch, live Release / Readiness GUI screenshot proof, Windows ARM64 proof, or completed cross-platform package proof.
Use the Codex Run action or ./script/build_and_run.sh --verify to build, launch, and prove the app process from the checkout.
Studio exposes Assist Plan, Advisory Bundle, Advisory Review, and Advisory Handoff for TypeScript, JavaScript, Swift, Java, C, C++, C#, Perl, Kotlin, Shell, SQL, and Other as local planning, review, and source-free handoff evidence under ~/Desktop/dogfood/, not active conversion.
The Release panel can run the repo-native MIT/productization reporter and generate manifested demo-route, deck-outline, and browser-smokeable deck-preview bundles, keeping presentation rehearsal separate from the completed tracked-slice ledger and final acceptance. Detailed signing, notarization, clean-machine Gatekeeper evidence, and the machine-readable preflight status reporter stay on the readiness status page.
The Release panel can show which Mac-side lanes can still move from this checkout and which gates belong to Apple credentials or Windows/Linux runtime proof.
# From a source checkout: ./script/build_and_run.sh --verify # Codex Desktop: # click Run, which calls ./script/build_and_run.sh # Output bundle: dist/Garnet Studio.app
The promo lane now carries the verified MP4/WebM render, automated visual-QA output, website export, and public-site sync evidence. It stays deliberately bounded: human/aesthetic acceptance remains open, and this is not full MIT/productization completion.
Public-site embedded means the repo has a synced site asset path and manifest-backed evidence. Detailed acceptance and distribution gates are tracked on status.html.
Latest local dogfood pulse from scripts/garnet_mit_readiness_status.py. This is not the same as tracked implementation completion.
Objective accounting keeps the landing page confident and the status page precise: the tracked implementation plan is complete, while platform distribution, provider-backed assist, backend lowering, proof, and empirical validation remain separately gated.
Garnet ships seven research papers plus four addenda. Where claims are empirical, evidence is traceable to reproducible artifacts; empirical claims are labeled by confidence and status, with partial outcomes explicitly downgraded in the v4.0 revisions.
The canonical language specification. Grammar, type system, mode boundary, capability inventory, deterministic build manifest.
The current capability-tagged primitive table: pure string/array/crypto helpers plus explicit time, file, and network authority.
Rust + Ruby → Garnet. The dual-mode design rationale, the mode boundary as a first-class construct, the capability model.
Seven novel contributions, pre-registered Phase 1C, executed Phase 4A. Honest scorecard: 4 supported, 2 partial, 0 refuted, 1 pending-infra.
Side-by-side Rust / Ruby / Garnet across 10 patterns. The §20 chapter explicitly separates measured claims from argued claims.
Garnet is early and the community surface is honest about it. GitHub Discussions are live as of v0.5.0 — that's where design conversations, show & tell, and RFCs happen. A Discord/chat server is not — chat will only appear here when contributor volume sustains it.
Pinned threads to start with: Welcome · Show & tell — what are you building · RFC — package registry shape.