Enforcement by construction.
The agent tooling stack — review skills, eval harnesses, operating models, connectors — enforces good behavior by convention. A capability‑typed language enforces it by construction. As agents write and are granted more authority, that difference stops being academic. A skill can be skipped. A type cannot.
Policy is porous · the property is not
Where the skeptic wins
If Garnet is pitched as "a nicer general‑purpose language humans adopt by choice," the skeptic beats it, and it's worth saying so plainly. Every skill in the modern agent stack — ai-first-engineering, agentic-engineering, model routers, eval harnesses — operates on an existing language; the value looks like it lives in the agent, not the target language. Models are most fluent in the incumbents, so a new language starts behind on the axis that now dominates: the training distribution. Capability enforcement already exists at the runtime and OS layer — WASI permissions, --allow-net, seccomp, the sandbox behind every "bypass permissions" button. Attestation — SBOM, SLSA, Sigstore — is language‑agnostic tooling. And a young project reaching escape velocity against platform‑scale tooling that the labs give away for free is brutal math.
The concession, stated once
On the "better general‑purpose language for humans" framing, the skeptic is right. Garnet's case does not live there. It lives one layer down — and the tooling explosion doesn't shrink that layer, it enlarges it.
Convention vs. construction
Everything in that command palette is policy. A review skill, an eval harness, an operating model, an MCP connector — they are advisory, external to the artifact, probabilistic, and runtime‑optional. They tell an agent what it should do and hope it complied. Not one of them makes it structurally impossible for the shipped code to hold authority it never declared.
That impossibility is the only thing a capability‑typed language sells — and it is the one thing process cannot manufacture. The tooling is convention. Garnet is construction. When authority is a compile‑time property of the artifact, "the agent was told to be careful" is replaced by "the code cannot express authority it didn't declare."
The textual diff of agent code is enormous. The authority diff is small, and machine‑computable.
That is the whole mechanism. A 3,000‑line agent PR is unreviewable by reading; its capability delta is one line. Garnet makes that delta a typed, diffable, sealed property of the code — which is exactly the localization instrument the field is missing for AI‑generated change.
Ten reasons, July 2026
Construction beats convention
A skill can be skipped, mis‑prompted, or forgotten; a type cannot. When authority is a property of the artifact, the gap between "told to be careful" and "structurally unable to overstep" closes — and nothing outside the code can close it.
Acceptance the model can't fake
An LLM‑as‑judge produces a probabilistic verdict from the same class of system that wrote the code. Garnet's acceptance is a deterministic trap — the compiler proves the claim or fails the build. Verification that doesn't depend on a model's judgment is rare, and getting rarer.
The guarantee travels with the artifact
Your operating model, your CI, your reviewer's diligence live in the environment that produced the code. Ship it elsewhere and those evaporate. Garnet's seal moves with the binary — the seal attests what the core proves — which matters the moment agent code crosses boundaries. It now does, constantly.
The connector explosion is the threat, not its refutation
Hallucinated dependencies, a critical MCP CVE, worm‑style supply‑chain attacks shipping malware with valid signatures — all authority‑management failures. More agents × more connectors = a larger ungoverned‑authority surface. Garnet addresses the problem the tooling growth is making worse.
Diff‑caps keeps a human in control at agent volume
When one senior can't read everything ten agents ship, review has to move into the artifact: accept a huge PR by reading one thing — did its authority envelope change? No skill provides that; it's a property of the type system.
Incumbent fluency ships incumbent footguns
An agent writes fluent Python and Python's ambient‑authority footguns, because the language predates capability thinking and bolts safety on coarsely, after the fact. A language built for capability from the type system up makes the safe thing the only expressible thing.
Garnet is the substrate under the tooling, not a rival to it
An MCP tool server written in Garnet declares its authority in its types, so the host verifies the envelope before granting it. "The only standard library where every function's authority is declared and verified" isn't competing with the connector economy — it's the trust layer that economy is missing.
Regulation is writing Garnet's spec — with no reference implementation
The EU Cyber Resilience Act's reporting obligations land this September; FDA change‑control plans, automotive OTA, and avionics all encode the same test — a change is allowed iff it stays inside a pre‑approved envelope, done by humans reading documents today. garnet build --evidence turns a consultant engagement into a compiler flag.
Attenuating delegation across agent swarms
When A delegates to B to C, authority should only shrink. Skills don't compose permissions; connectors don't attenuate; prompts can't enforce it. A capability lattice in the type system can make delegation provably narrow authority — load‑bearing as multi‑agent topologies become the default.
It amortizes senior judgment instead of re‑spending it
The crisis the AI‑first model creates is that juniors and agents can't be trusted to ship unreviewed. Garnet doesn't replace senior judgment — one senior defines the envelope once, and the compiler enforces it on every junior and every agent thereafter. Process must be re‑applied every time; a type applies itself.
Where it bites
Ten domains other languages own. In each, the incumbent solves the execution problem; none solves the acceptance problem — and acceptance is what breaks when code arrives faster than trust.
Runs with god‑credentials and near‑zero review. A Garnet step provably can't read the signing key or reach the network.
The #1 category agents write; touches prod data by definition. Exfiltration becomes a compile error, not an incident.
Pure authority manipulation in languages with no authority types. Garnet diffs the grant, not just the resource.
Move the contract into the artifact: per‑invocation bounds and caps that are the deployment policy. Upload evidence, not promises.
Every store reviews hand‑written manifests an attacker can lie in. Garnet manifests are compiler‑derived and sealed — verify, don't trust.
BEAM owns fault tolerance for processes; nothing owns it for agents. Supervised agent trees where a child can't exceed delegated authority.
An installed tool is ambient authority on the operator's machine. Garnet CLIs install with their manifest; brew info shows the authority surface.
Concede codegen; win the update acceptance path — verify incoming firmware's authority surface didn't grow before flashing.
Move protects assets on chain; the off‑chain code that decides to move money has nothing. Make the deciding code as auditable as the settling contract.
The languages own the math; none owns trust in the result. Sealed runs make "rerun my exact analysis" a verification, not an archaeology.
Other languages solve the execution problem. None solves the acceptance problem.
The world is writing the spec
The strongest signal isn't the argument above — it's that the demand is arriving from four directions at once, none of them aware Garnet exists.
Regulation, ~10 weeks out
The EU Cyber Resilience Act's reporting obligations apply this September; FDA predetermined‑change‑control plans, automotive OTA (R156), and avionics change‑impact analysis all encode the same envelope test. Today it's performed by humans reading documents — the exact process that collapses when AI‑velocity change meets human‑document validation.
An insurance market with nothing to price
Agent‑liability insurance is forming now, and it underwrites point‑in‑time red‑team snapshots — because there is nothing attestable to underwrite against. A capability envelope is the missing actuarial instrument: a continuous, verifiable statement of what the insured system can do.
A threat landscape making the timing argument for us
Measurable hallucinated‑dependency rates in agent code; a critical CVE in the MCP ecosystem; a supply‑chain worm that shipped malware with valid signatures. Every one is an authority‑management failure. Nobody is hearing the timing argument yet.
Language leaders describing the problem — unprompted
In recent public talks, figures who built the languages we use are describing this exact problem as their field's unsolved one: when an AI writes the change, you no longer know where it changed, and senior engineers are retiring rather than validate the churn. That's the diff‑caps problem, stated by people who've never heard of Garnet.
What this argument does not claim
Three honest boundaries
- This is a narrower, sharper need than a grand vision. Garnet is the trust substrate and enforcement layer for agent‑authored and agent‑granted authority — the thing beneath MCP, the
--evidencelayer, the swarm‑delegation primitive — not a general‑purpose better‑Python humans adopt for pleasure. - Need is not adoption. These reasons argue Garnet should exist. Whether it reaches the people who need it is a separate, unsolved bet that rides on a playground you can touch in thirty seconds, a real library shelf, and a community that doesn't exist yet. The idea can be right and still not make it.
- Every reason is currently mortgaged to the foundation being sound. A capability‑typed language whose own test surface can launder authority undercuts reasons 1 and 2 until that's fixed. The case for existence is real; realizing it is the foundation work happening now.
A skill can be skipped.
A type cannot.
The agent era doesn't retire the need for a capability‑typed language — it's the first era that makes the need unavoidable. Not because Garnet is a nicer language, but because it lives in the one layer the tooling can't reach: the artifact itself.