Language Reference · kwam.dev/v0.2
Lexical structure, literal forms, the type system, the parsing model, the nine blocks, and the fail-closed error model: the concepts the parser and validator enforce.
Line-oriented, total, and deliberately small.
KWAM is line-oriented: statements are newline-terminated, comments begin with #, and a small fixed set of reserved keywords introduces the block declarations. An IDENT excludes - by design: it keeps the lexer total and avoids ambiguity with a future minus. Any hyphenated enum value must be written underscore-form (s3_fifo, below_workload) or quoted as a string.
The full lexical grammar and reserved-keyword set are provided to licensees.
Units are first-class. A sha256: address is a String / cid, never a duration.
| Category | Examples | Lowered type |
|---|---|---|
| string / content-address ref | "hello" · "sha256:9f3a…d21" | String |
| number | 3 · 1_000_000 | Int / Float |
| duration | 250ms · 5s · 30m · 4h | Duration |
| size | 4kb · 64mb · 2gb | Size |
| percent | 99.9999percent · 0.1% | Percent |
| nines | 6nines · 9nines | Nines |
| count | 3 · 8x | Count |
| cidr | 10.40.0.0/16 | CIDR |
| host:port | kwam-seed.internal:<port> | HostPort |
| identity ref | spiffe://kwam/acme/cl-7/*/*/*/seed | Identity |
| secret ref | secret://vault/kwam/mtls-ca | SecretRef |
| grant ref | grant://<signed-consent-token> | GrantRef |
Restricted by design: KWAM is declarative config, not a general language.
KWAM has a small, closed set of typed scalars — strings and content-address refs, numbers, units (durations, sizes, percentages, nines, counts), network and identity references — plus a few compound forms (lists, string-keyed maps, and typed references to other blocks). The complete type system is provided to licensees.
Expressions are literals, references, list/map construction, interpolation ${expr}, and a guarded ternary over comparison operators on scalars. No loops, no user functions, no imperative verbs: this keeps the interpreter total and every program auditable.
import "std/faultdomains" as fd # signed, content-addressed module
use fd.regions # hoist symbols into scope
let fanout = 8x
let ca = secret://vault/kwam/mtls-ca # resolved at runtime onlyRecursive descent, one directive per line, one token of lookahead.
A program opens with an apiVersion header and is otherwise a sequence of top-level declarations: imports and bindings, then the block declarations. Every block is a brace-delimited body of directives; each directive is either a key/value pair or a nested block. Expressions are deliberately minimal: literals, references, list/map construction, and a guarded ternary over scalar comparisons. The full formal grammar is provided to licensees.
Each declaration lowers to one typed policy object and is validated before it can run.
| Block | Lowers to | Required keys | Purpose |
|---|---|---|---|
| server | Server | identity · transport · ports · seeds | Governed control plane + kill-switches; trust required before any deploy. |
| client | ClientSpec | image (cid) | Per-node micro-service; sandbox ≥ policy floor; mutable tags rejected. |
| discovery | DiscoveryPolicy | strategy · fanout | Gossip membership + mesh; optional narrow LLM negotiator. |
| replicate | ReplicationPolicy | factor · anti_affinity | Fault-domain placement; factor ≥ 2, ≤ max_factor. |
| guard | SLAPolicy | durability · mttr_restore · integrity | The honest core; nines checked vs the math (see durability). |
| policy | CapabilityGrant | grants (+ ca, sandbox_floor) | RBAC, trust anchor, sandbox floor, scoped discovery. |
| deploy | AuthorizedRollout | client · to · server · consent | Rollout gated on an externally-minted signed token. |
| metric | SLO | observe · target · window | Binds an observable to a target; feeds the error budget. |
| profile | Profile | hardware | Interconnect/latency model + health hooks (h100/tpu/trainium). |
Two closed enumerations are shared everywhere: a fixed capability set and an ordered set of sandbox tiers (floor-enforced; an un-sandboxed tier is never permitted). Because both are closed, an unrecognized value is a parse-time error rather than a silent default. The exact enum members are provided to licensees.
Three error classes, all fatal and fail-closed.
Parse: an unknown key or block key, a bad unit, an illegal identifier, or an ambiguous brace. Lowering/validation: unbacked nines; a missing or invalid consent reference; a config scope that is not a subset of the token's resource glob; a mutable image tag; a sandbox below the policy floor; a module digest mismatch; a replication factor over its ceiling; a deploy referencing a server with no trust. Runtime: schema-failed advisory output falls back to deterministic order; an integrity mismatch re-pulls; a consent signature/freshness/spent-ledger failure refuses the action and audits it. In every class the parser or validator refuses rather than guesses; the program never runs in a partially-understood state.
A conformance suite, the adversarial test corpus that exercises each of these failure modes and pins the expected fail-closed verdict, is provided to licensees.
KWAM is our intellectual property, grounded in Swiss law.
KWAM — its source code, the KWAM language, the JHMM reconstruction orchestrator, the deterministic codec runtime, and all associated AI components — is a proprietary computer program and the sole and exclusive intellectual property of KWAM.CH. As a computer program it is a protected work under the Swiss Federal Act on Copyright and Related Rights (Copyright Act, CopA), and the exclusive rights of use vest in KWAM as employer; it is further protected as a trade secret under the Swiss Federal Act Against Unfair Competition (UCA). KWAM is offered by private licence only. All rights reserved.
CopA (SR 231.1) Art. 2 para. 3 & Art. 17 · UCA (SR 241) Art. 6 · Governed by the laws of Switzerland · Place of jurisdiction: Zürich