{"id":50771283,"url":"https://github.com/nelsonduarte/capa-language","last_synced_at":"2026-06-12T22:06:19.685Z","repository":{"id":357175147,"uuid":"1235436189","full_name":"nelsonduarte/capa-language","owner":"nelsonduarte","description":"A capability-centric programming language. Hand-written compiler in Python.","archived":false,"fork":false,"pushed_at":"2026-06-08T20:51:37.000Z","size":6642,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-08T21:13:26.824Z","etag":null,"topics":["capability-security","compiler","cra","cyclonedx","language-design","llm-security","nis2","programming-language","sbom","slsa","spdx","static-analysis","supply-chain-security","type-system","vex"],"latest_commit_sha":null,"homepage":"https://capa-language.com/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nelsonduarte.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-11T10:20:06.000Z","updated_at":"2026-06-08T20:51:41.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/nelsonduarte/capa-language","commit_stats":null,"previous_names":["nelsonduarte/capa","nelsonduarte/capa-language"],"tags_count":18,"template":false,"template_full_name":null,"purl":"pkg:github/nelsonduarte/capa-language","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nelsonduarte%2Fcapa-language","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nelsonduarte%2Fcapa-language/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nelsonduarte%2Fcapa-language/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nelsonduarte%2Fcapa-language/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nelsonduarte","download_url":"https://codeload.github.com/nelsonduarte/capa-language/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nelsonduarte%2Fcapa-language/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34263940,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-12T02:00:06.859Z","response_time":109,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["capability-security","compiler","cra","cyclonedx","language-design","llm-security","nis2","programming-language","sbom","slsa","spdx","static-analysis","supply-chain-security","type-system","vex"],"created_at":"2026-06-11T19:00:26.655Z","updated_at":"2026-06-12T22:06:19.674Z","avatar_url":"https://github.com/nelsonduarte.png","language":"Python","funding_links":[],"categories":["Dependency intelligence"],"sub_categories":["SCA and SBOM"],"readme":"\u003cp align=\"left\"\u003e\n \u003cimg src=\"capa_logo.svg\" alt=\"Capa logo\" height=\"80\"\u003e\n\u003c/p\u003e\n\n# Capa\n\n[![tests](https://github.com/nelsonduarte/capa-language/actions/workflows/tests.yml/badge.svg)](https://github.com/nelsonduarte/capa-language/actions/workflows/tests.yml)\n[![release](https://img.shields.io/github/v/release/nelsonduarte/capa-language?include_prereleases\u0026label=release\u0026color=blue)](https://github.com/nelsonduarte/capa-language/releases)\n[![license: MIT OR Apache-2.0](https://img.shields.io/badge/license-MIT%20OR%20Apache--2.0-blue.svg)](LICENSE)\n[![python: \u003e=3.10](https://img.shields.io/badge/python-%3E%3D3.10-blue.svg)](pyproject.toml)\n[![SLSA Level 1](https://slsa.dev/images/gh-badge-level1.svg)](https://slsa.dev/spec/v1.0/levels#build-l1)\n[![Discussions](https://img.shields.io/github/discussions/nelsonduarte/capa-language?logo=github\u0026color=blueviolet)](https://github.com/nelsonduarte/capa-language/discussions)\n[![contributions welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg)](CONTRIBUTING.md)\n\n**Website: \u003chttps://capa-language.com/\u003e**\n\nCapa is a small, capability-typed programming language. Every\nfunction declares the authorities it holds (`Fs`, `Net`, `Stdio`,\n`Clock`, `Random`, `Env`, `Db`, `Proc`, `Unsafe`), the analyzer\nenforces those declarations statically, and the compiler emits\n**CycloneDX SBOM**, **SPDX 2.3**, **VEX**, and **SLSA Build L1\nprovenance** documents directly from the same capability signatures.\nYou get supply-chain artefacts that match the code, not a separate\nscanner approximating them after the fact.\n\nThe toolchain is a complete Python 3.10+ implementation: lexer,\nparser, semantic analyzer, transpiler to Python, runtime, language\nserver, formatter, documentation generator, and a **WebAssembly\nComponent Model backend** (`capa --wasm`) that compiles the same\nsource to a `.wasm` component with a WIT spec per capability, runnable\non any Component-Model-aware runtime or inline through the bundled\nwasmtime host.\n\n```bash\n$ capa --run examples/grades.capa\n=== Roster ===\n Ana: 17.5 (Excellent)\n Bruno: 13.0 (Pass)\n Carla: 8.5 (Fail)\n\nStatistics:\n Average: 14.083333333333334\n Passed: 5\n Failed: 1\n```\n\n## The 30-second story\n\nA pure helper declares no capabilities; the analyzer enforces it.\n\n```capa\nfun classify(score: Float) -\u003e String\n if score \u003e= 9.5\n return \"Excellent\"\n if score \u003e= 8.0\n return \"Good\"\n if score \u003e= 6.5\n return \"Pass\"\n return \"Fail\"\n```\n\nA function that prints needs `Stdio`; a function that reads files\nneeds `Fs`. The signature is the contract:\n\n```capa\nfun summarise(stdio: Stdio, fs: Fs, path: String) -\u003e Result\u003cUnit, IoError\u003e\n let body = fs.read(path)?\n stdio.println(\"first line: ${body.split(\"\\n\").get(0)}\")\n return Ok(())\n```\n\n`capa --manifest \u003cfile\u003e` emits the same information as JSON. The\nauditor reading the manifest sees exactly which functions can\nwrite to disk, talk to the network, or read the clock. There is\nno \"hidden Stdio\": the compiler refuses to compile a `classify`\nthat suddenly calls `stdio.println(...)` because `classify` does\nnot take `stdio: Stdio`.\n\nCapabilities can also be **attenuated**: `fs.restrict_to(\"data/\")`\nreturns a fresh `Fs` whose authority is narrowed to that prefix,\nand the narrowing is monotonic by construction.\n\nCapabilities control *which* effects a function may exercise;\n**information-flow control** constrains *where* data may flow. Mark\ndata `@secret` and the compiler proves it cannot reach a public sink\n(a log line, a network call, a file write) unless you route it\nthrough an audited `declassify`:\n\n```capa\nfun leak(env: Env, stdio: Stdio)\n match env.get(\"API_KEY\") // env.get is @secret by default\n Some(key) -\u003e stdio.println(key) // information-flow violation: secret to a public sink\n None -\u003e stdio.println(\"no key\")\n```\n\n`declassify(value, reason: \"...\")` is the single auditable\nsecret-to-public bridge, and every use is recorded in the SBOM as\n`declassification_sites`, so the manifest says exactly where, and why,\na program discloses sensitive data. The\n[tour](https://capa-language.com/tour.html) walks through the\nrest of the feature set.\n\n## Install\n\n```bash\n# Linux / macOS Apple Silicon (one-liner)\ncurl -fsSL https://raw.githubusercontent.com/nelsonduarte/capa-language/main/deploy/install.sh | bash\n```\n\n```powershell\n# Windows\nirm https://raw.githubusercontent.com/nelsonduarte/capa-language/main/deploy/install.ps1 | iex\n```\n\n```bash\n# From source (any platform with Python 3.10+)\ngit clone https://github.com/nelsonduarte/capa-language\ncd capa-language \u0026\u0026 pip install -e .\n```\n\nAfter install, `capa --version` should work from any directory.\nFor the manual binary download, language-server setup, and the\nVSCode extension, see [`docs/getting-started.md`](docs/getting-started.md).\n\n## CLI\n\n```bash\ncapa --run file.capa # transpile + execute via Python\ncapa --check file.capa # lex + parse + semantic check\ncapa --transpile file.capa # emit Python to stdout\ncapa --wasm --run file.capa # compile + run on wasmtime\ncapa --wasm --component --run file.capa\n # wrap as a Component Model\n # artifact + run via\n # wasmtime.component\ncapa --wasm --component --output app.wasm file.capa\n # write a standalone .wasm\n # component (WIT embedded)\ncapa --wit file.capa # emit the WIT spec to stdout\ncapa --manifest file.capa # JSON capability manifest\ncapa --cyclonedx file.capa # CycloneDX 1.5 SBOM (caps embedded)\ncapa --spdx file.capa # SPDX 2.3 (caps embedded)\ncapa --vex file.capa # standalone VEX document\ncapa --provenance file.capa # in-toto + SLSA Provenance v1.0\ncapa --doc file.capa # HTML doc page from /// comments\ncapa --fmt file.capa # canonical-style rewrite\ncapa init my-project # project scaffold\ncapa install # fetch capa.toml dependencies\ncapa test # run tests/test_*.capa; exit 0 = pass\n # (--wasm: Wasm backend; --both: run on\n # both backends AND diff their stdout,\n # divergence fails; see docs/testing.md)\ncapa migrate file.capa # Python-\u003eCapa hardening progress\n # (--json for the machine form;\n # see docs/migration.md)\ncapa lsp # language server (stdio)\n```\n\nArguments after `--` are forwarded to the program (visible via\n`env.args()`):\n\n```bash\ncapa --run myprog.capa -- input.json --verbose\n```\n\n## Real programs written in Capa\n\nThese live in standalone repositories, each around 500-1500 lines\nof Capa. Dependencies on the seed libraries are declared in a\n`capa.toml` and fetched by `capa install`; every demo's `README`\nwalks through the audit manifest.\n\n| Repo | What it does | What it stresses |\n|------|--------------|------------------|\n| [audit-trail-reporter](https://github.com/nelsonduarte/audit-trail-reporter) | Reads a JSONL financial transaction log, runs four AML rules (threshold, watchlist, structuring, velocity), emits CSV + JSON + alerts | Multi-module project; capability attenuation (read `Fs` for `data/`, write `Fs` for output); every rule provably pure |\n| [sbom-watch](https://github.com/nelsonduarte/sbom-watch) | Reads a CycloneDX SBOM + an OSV-style CVE DB + a policy file, emits a risk report. CI-friendly exit code | Cross-source matching shape. Consumes exactly what `capa --cyclonedx` produces |\n| [policy-eval](https://github.com/nelsonduarte/policy-eval) | Evaluates a JSON-encoded policy AST (with recursive `all_of`/`any_of`/`not`) against a subject document | Tree-walk interpreter shape; exercises recursive sum types |\n\nEach demo's `--manifest` is a good way to see what the capability\ndiscipline catches in practice: the rule functions and the\nrenderers declare no capabilities; only parsers and writers\never see `Fs`.\n\nAll three also run end-to-end under the Wasm backend with output\nbit-identical to the Python reference path, in both modes:\n`capa --wasm --run` (core wasm on wasmtime) and `capa --wasm\n--component --run` (Component Model artifact instantiated via\n`wasmtime.component`, no host-side memory bridges). The JSON\nparser is bundled into the guest module so no `capa:host/json`\nimport is needed at the Component Model boundary.\n\n## Standard library + seed libraries\n\nThe runtime ships built-in types (`Result`, `Option`, `List`,\n`Map`, `Set`, `JsonValue`) and built-in capabilities (`Stdio`,\n`Fs`, `Net`, `Env`, `Clock`, `Random`, `Db`, `Proc`, `Unsafe`).\nFull reference in [`docs/stdlib.md`](docs/stdlib.md).\n\nFour **seed libraries** live in standalone repos and are\nconsumed via the package manager:\n\n| Library | Repo | Surface |\n|---------|------|---------|\n| `capa_cli` | [nelsonduarte/capa_cli](https://github.com/nelsonduarte/capa_cli) | argument parser: positionals, flags, options, `--help` |\n| `capa_datetime` | [nelsonduarte/capa_datetime](https://github.com/nelsonduarte/capa_datetime) | ISO 8601 parsing + Y/M/D/h/m/s arithmetic, zero-capability |\n| `capa_log` | [nelsonduarte/capa_log](https://github.com/nelsonduarte/capa_log) | levelled logging (`DEBUG`/`INFO`/`WARN`/`ERROR`) via a `Logger` capability over `Stdio` |\n| `capa_http` | [nelsonduarte/capa_http](https://github.com/nelsonduarte/capa_http) | capability-typed HTTP client over `urllib`; caller sees `Http`, never `Unsafe` |\n\nTo use any of them in a project:\n\n```toml\n# capa.toml\n[package]\nname = \"my-project\"\nversion = \"0.1.0\"\n\n[dependencies]\n# For production: pin to an immutable commit SHA. Tags are\n# convenient but mutable upstream (a force-push moves them);\n# rev = \"\u003csha\u003e\" is what audit-grade builds want.\ncapa_log = { git = \"https://github.com/nelsonduarte/capa_log\", rev = \"\u003ccommit-sha\u003e\" }\n\n# For development the friendlier tag form works too; ``capa install``\n# records the resolved SHA in capa.lock and *refuses* on subsequent\n# runs when the upstream tag has been re-pointed at a different\n# commit. Pass ``--update`` to accept a new SHA deliberately.\n# capa_log = { git = \"https://github.com/nelsonduarte/capa_log\", tag = \"v0.1\" }\n\n# For audit-grade builds: add the publisher's GPG fingerprint and\n# ``capa install`` runs ``git verify-tag`` against your keyring,\n# refusing to install unless the signature matches. Defends against\n# account compromise + tag tampering even when the lockfile is empty.\n[dependencies.capa_log]\ngit = \"https://github.com/nelsonduarte/capa_log\"\ntag = \"v0.1\"\nverify_key = \"1234 5678 90AB CDEF 1234 5678 90AB CDEF 1234 5678\"\n\n# Test/tooling-only deps go under [dev-dependencies]: same schema,\n# same validation, installed only when THIS project is the install\n# root. Consumers of your package never fetch them. Declare from\n# the CLI with `capa add --dev \u003cname\u003e ...`.\n[dev-dependencies]\ncapa_testkit = { git = \"https://github.com/user/capa_testkit\", tag = \"v0.2\" }\n```\n\nThen `capa install` materialises the deps under `./vendor/` and\nthe loader picks them up automatically. See\n[`docs/packages.md`](docs/packages.md) for the manifest schema,\nlockfile semantics, and resolution order.\n\n## Project layout (sketch)\n\n```\ncapa/ # Python package: compiler + runtime + pkg manager\n lexer/ parser/ analyzer/ transpiler/ runtime/\n ir/ # CIR + Wasm Component Model backend + WIT emitter\n manifest/ docgen/ lsp/ pkg/ cli.py\ntests/ # 2593 unit, end-to-end, and property tests\nexamples/ # .capa programs (basics, CVE case studies, LLM sandbox)\n# (seed libraries now all live in standalone repos; see Standard library section)\ndocs/ # public website (HTML) + design writeups (.md)\nproofs/ # mechanised soundness theorems for lambda_cap (Agda)\nbenchmarks/ # Capa vs hand-Python micro-benchmarks\nCapa-EBNF.md # formal grammar\npyproject.toml # package metadata + optional [test] / [lsp] extras\nLICENSE STABILITY.md CONTRIBUTING.md SECURITY.md README.md\n```\n\n## Status\n\nCapa ships as **`1.0.0`** (released 2026-06-03), with the full\nsecurity axis (information-flow control, constant-time markers, and\ntypestate protocols) and the fully functional Wasm backend (see\n[`CHANGELOG.md`](CHANGELOG.md)). The stability commitment in\n[`STABILITY.md`](STABILITY.md) is now **in effect**: post-1.0,\nbreaking changes to the covered surfaces require a major bump, and\ndeprecations get one minor release of warning first.\n\n**2593 tests** spanning the lexer, parser, analyzer, transpiler,\nLSP, formatter, attribute-schema validation, package manager, the\ninformation-flow / constant-time / typestate checkers, the Wasm\nbackend (with a Python/Wasm output parity harness), and\nHypothesis-based property tests. The transpiler\nsuite actually executes the generated Python and checks stdout; the\nproperty suite fuzzes the full pipeline with arbitrary text and\nsyntax-aware Capa programs. The Wasm backend runs every capability\n(Fs, Env, Clock, Stdio, Net, Random, Db, Proc) and the full language\nsurface with output byte-identical to the Python reference, and\ncross-function capability attenuation is enforced soundly at the Wasm\nruntime via host-side handle tables.\n\nRun them:\n\n```bash\npython -m unittest discover tests\n# or\npip install -e '.[test]' \u0026\u0026 python -m pytest\n```\n\nThe Tier 1 supply-chain artefacts are **all shipping** today:\n\n| Artefact | Command | Notes |\n|----------|---------|-------|\n| Capability manifest | `capa --manifest` | per-function caps + attributes |\n| CycloneDX 1.5 SBOM | `capa --cyclonedx` | capability metadata via `properties[]` |\n| SPDX 2.3 SBOM | `capa --spdx` | capability metadata via `annotations[]` |\n| VEX | `capa --vex` | per-function exploitability claims via `@vex(...)` |\n| SLSA Build L1 | `capa --provenance` | in-toto Statement v1 + Provenance v1.0 predicate |\n| WIT spec | `capa --wit` | one interface per capability the program touches |\n| Wasm CM component | `capa --wasm --component --output app.wasm` | WIT embedded, canonical ABI |\n\nTier 2 (regulatory mapping) is **complete**:\n[`docs/regulatory.md`](docs/regulatory.md) covers the EU CRA,\nNIS2, DORA (cybersecurity articles), NIST SSDF, and OWASP SCVS\nside-by-side; the article-by-article CRA mapping lives in\n[`docs/cra.md`](docs/cra.md).\n\nThe `lambda_cap` soundness theorems are **mechanised in Agda**,\nno `postulate` remaining. Roughly 600 lines of self-contained\nAgda (no `agda-stdlib` dependency) cover Progress, Preservation,\nCapability Soundness, and a multi-step Manifest Completeness\ntheorem. CI typechecks the proofs on every push to\n[`proofs/`](proofs/). The full roadmap is at\n[`capa-language.com/roadmap.html`](https://capa-language.com/roadmap.html).\n\n## Documentation map\n\nThe marketing + rendered learning pages live at\n[`capa-language.com`](https://capa-language.com), source in the\n[`capa-language-website`](https://github.com/nelsonduarte/capa-language-website)\nrepo. The deeper Markdown documents below stay here, next to the\ncode they describe.\n\n| Doc | What it is |\n|-----|------------|\n| [`capa-language.com`](https://capa-language.com/) | landing page, with the case for the language |\n| [`capa-language.com/start.html`](https://capa-language.com/start.html) | install + first program + CLI |\n| [`capa-language.com/learn/`](https://capa-language.com/learn/) | 12-page tutorial sequence |\n| [`capa-language.com/manifest.html`](https://capa-language.com/manifest.html) | the manifest format + how to read it |\n| [`capa-language.com/roadmap.html`](https://capa-language.com/roadmap.html) | status + what's planned |\n| [`docs/getting-started.md`](docs/getting-started.md) | text version, plus LSP / editor setup |\n| [`docs/tutorial.md`](docs/tutorial.md) | longer walkthrough |\n| [`docs/reference.md`](docs/reference.md) | language reference (syntax + semantics) |\n| [`docs/stdlib.md`](docs/stdlib.md) | runtime + library APIs |\n| [`docs/packages.md`](docs/packages.md) | `capa.toml` + `capa install` + lockfile semantics |\n| [`docs/testing.md`](docs/testing.md) | `capa test`: discovery, result contract, `--both` parity diff |\n| [`docs/positioning.md`](docs/positioning.md) | honest comparison vs Pony, Koka, Roc, Wasm CM, Zero |\n| [`docs/semantics.md`](docs/semantics.md) | lambda_cap calculus sketch + soundness theorems |\n| [`docs/cra.md`](docs/cra.md) + [`regulatory.md`](docs/regulatory.md) | EU CRA + multi-jurisdiction regulatory mapping |\n| [`docs/migration.md`](docs/migration.md) | porting Python code to Capa |\n| [`docs/paper-draft.md`](docs/paper-draft.md) | workshop-paper draft |\n| `docs/cve_*.md` and `docs/demo-event-stream.md` | walkthroughs of real CVEs against Capa |\n\n## Programmatic use\n\n```python\nfrom capa import Lexer, Parser, analyze, transpile\n\nsource = open(\"program.capa\", encoding=\"utf-8\").read()\ntokens = Lexer(source, filename=\"program.capa\").lex()\nmodule = Parser(tokens, source=source, filename=\"program.capa\").parse_module()\n\nresult = analyze(module, source=source, filename=\"program.capa\")\nif not result.ok:\n for e in result.errors:\n print(e.format())\nelse:\n code = transpile(module, filename=\"program.capa\")\n print(code)\n```\n\n## Contributing + community\n\nQuestions, ideas, and showing off what you built with Capa all\nlive in [**GitHub Discussions**](https://github.com/nelsonduarte/capa-language/discussions):\n\n- **[Q\u0026A](https://github.com/nelsonduarte/capa-language/discussions/categories/q-a)** for \"the analyzer told me X and I don't understand why\".\n- **[Ideas](https://github.com/nelsonduarte/capa-language/discussions/categories/ideas)** for feature requests and \"what if Capa had X\".\n- **[Show and tell](https://github.com/nelsonduarte/capa-language/discussions/categories/show-and-tell)** for programs, manifests, integrations.\n- **[Announcements](https://github.com/nelsonduarte/capa-language/discussions/categories/announcements)** for release notes.\n\nPull requests welcome; see [`CONTRIBUTING.md`](CONTRIBUTING.md).\nFor security issues, please use the private vulnerability\nreporting channel at\n\u003chttps://github.com/nelsonduarte/capa-language/security/advisories/new\u003e;\nthe disclosure flow is in [`SECURITY.md`](SECURITY.md).\n\n## License\n\nDual-licensed under either [MIT](LICENSE-MIT) or\n[Apache-2.0](LICENSE-APACHE) at your option. SPDX expression\n`MIT OR Apache-2.0` (the Rust idiom). See [`LICENSE`](LICENSE)\nfor the rationale and the contribution clause.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnelsonduarte%2Fcapa-language","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnelsonduarte%2Fcapa-language","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnelsonduarte%2Fcapa-language/lists"}