AILANG · topics
§ topic
AILANG × privacy
Customer data labelled at the type level. AILANG marks PII at the field declaration; crossing into a public sink without an explicit Declassify boundary is a compiler error. Combined with capability-scoped network calls and three-runtime deploy (browser WASM / Cloud Run / native), sensitive data has nowhere to leak that the type checker can't see.
Leaderboard
refreshed daily · last update 2026-06-02 · 10 sketches
What the compiler enforces
Six AILANG features keep your data inside boundaries the type system polices. Tap any row to see the rubric signal (where there is one) and the language primitive that ships it.
01IFCInformation-flow labelsPII can't reach a public sink without an explicit declassification effect.
string<pii> ⟶ ! {Declassify}
Rubric — how we score it
Not directly scored — the rubric measures what's visible in a single page fetch, and this is a type-system property of the code you ship.
AILANG ships
The LinkedInComment type marks authorName and text as string<pii>. To produce a public version they must pass through linkedinSanitiseComment, whose signature carries ! {Declassify} — it SHA-256s the actor URN into initials + a six-hex seed. Any code that publishes the raw fields doesn't compile.
02EFREffect rowsEvery side effect a function performs appears in its type signature.
! {Net, FS, AI, IO}
Rubric — how we score it
Not directly scored — the rubric measures what's visible in a single page fetch, and this is a type-system property of the code you ship.
AILANG ships
The dispatcher that publishes a sketch declares ! {Net, FS, AI, IO} in its type. Anything not listed there is unreachable from this code path — no telemetry, no quiet exfil, no "oh, that function also writes a file". Reviewer attention not required.
03CAPCapability budgetsEach run is capped at a known number of network and AI calls.
Net @limit=1, AI @limit=50
Rubric — how we score it
Heuristic on outbound HTTPS count in the body — fewer external resources is the proxy. ≤10 = 2 pts, 11–20 = 1 pt, >20 = 0 pts.
AILANG ships
The comment-fetch is Net @limit=1 — at most one HTTPS request per run, enforced by the runtime. No retry loops, no surprise outbound traffic. The sketch generator's AI budget is similarly bounded.
04CONContracts & Z3 verificationLinkedIn's 3000-char post limit is proved at compile time, not checked at runtime.
requires { len(text) ≤ 3000 }
Rubric — how we score it
Not directly scored — the rubric measures what's visible in a single page fetch, and this is a type-system property of the code you ship.
AILANG ships
linkedinCreatePost carries a requires clause that an SMT solver proves before any binary is produced. The rubric scorer's ensures { points <= maxPoints } is a contract too. Violations don't ship — they don't compile.
05AIEThe AI effectEvery Gemini/Claude/GPT call is a typed, budgeted, stubbable effect.
! {AI}
Rubric — how we score it
Detected when the body mentions a known LLM provider (claude, gpt-, openai, anthropic, gemini, "powered by ai") — surfaces an existing third-party data flow worth labelling.
2 pts maxAILANG ships
The Gemini call that extracts your site is a first-class effect, not an HTTP wrapper. Per-run budget, deterministic-stub in tests, appears in every caller's signature. Nothing in the rendering path can sneak in a second model call.
06ADTClosed sum typesAdding a new case without handling it everywhere is a compile error.
type Topic = Privacy | Portable | AgentReady
Rubric — how we score it
Not directly scored — the rubric measures what's visible in a single page fetch, and this is a type-system property of the code you ship.
AILANG ships
Topics are a closed ADT. Adding a fourth without handling it in the scorer, the renderer, and the leaderboard is a compile-time error — there's no "unknown topic" fallback that could quietly drop a sketch.