Object-Capability Security

Turn's Object-Capability (OCap) model prevents LLM hallucination and guest-code leakage from ever exposing sensitive API keys to the network or logs.

The secret parameter modifier is a Turn VM primitive. When llm_tools.rs converts a tool signature into an OpenAI JSON Schema for tool-use, it completely strips any secret parameters. The LLM has zero knowledge these parameters exist. If Turn script code attempts to echo or serialize a Cap value, the VM immediately raises a PrivilegeViolationTrap.

secure_capability.tn

// Turn Language: Object-Capability Security
// The LLM can CALL stripe_charge but can never see the api_key.

// 1. Define the secure tool — the "secret" modifier strips api_key from LLM schema
let stripe_charge = tool turn(
  customer_name: Str,
  amount: Num,
  secret api_key: Cap   // LLM never sees this parameter
) -> Bool {
  call("echo", "[Stripe] Charging $" + amount + " to " + customer_name);
  // api_key is an opaque Cap handle — the actual sk_live_... string lives
  // in the Rust ToolRegistry, never in the Turn heap.
  return true;
};

// 2. Acquire the capability from the trusted host environment
let stripe_key = call("load_cap", "STRIPE_SECRET_KEY");

// 3. Inject it — the LLM orchestrator calls stripe_charge without ever 
//    knowing the key exists; Turn injects it transparently at call time.
let result = infer Bool with [stripe_charge] {
  "Charge customer Alice $99.00 for Pro subscription.";
};

call("echo", "Charge succeeded: " + result);

Run it:

export STRIPE_SECRET_KEY=sk_live_...
turn run impl/examples/secure_capability.tn

The full implementation is in impl/examples/secure_capability.tn.