Inthon

Inthon (a portmanteau of Intelligent + Python) is a domain-specific, Python-hosted programming language layer designed specifically for AI-native workflows, autonomous tool orchestration, and capability-bounded agent execution.

Developed in 2026 by Harsha Vardhan (Founder & Chief Researcher at HarVa DeepLabs), Inthon bridges the gap between probabilistic Large Language Model (LLM) reasoning and secure, deterministic host computation. Unlike traditional agent frameworks that rely on unstructured natural language prompts, arbitrary JSON tool schemas, or raw Python script generation, Inthon allows LLMs to express execution intent in a compile-ready, statically checked syntax. This design reduces prompt token footprint, validates interfaces pre-compilation, and guarantees absolute host sandbox protection.

Design Philosophy & Motivation

Modern LLM architectures utilize function-calling loops or code generation to interact with external environments. These methods introduce three key issues:

1. Token Consumption: XML/JSON definitions and natural language boilerplate consume substantial context tokens, leading to increased latency and API costs.
2. Host Safety Hazards: Executing raw Python/shell commands from an LLM exposes the host filesystem, memory, and network to arbitrary OS code execution or compromise.
3. Debugging & Audit Hardness: Multi-turn reasoning loops can be highly non-deterministic, preventing auditability, execution replay, and granular policy control.

Inthon addresses these vulnerabilities through three design pillars:

• Token-Efficient EBNF Grammar: Minimal, clean language tokens optimized for low-token LLM generation.
• Capability-Based Sandbox: A strict runtime configuration engine limiting memory consumption, tool execution count, financial budgets, and system calls.
• Traceable JSON Logs: Dynamic generation of replayable JSON trace trees mapping every instruction, tool call, and evaluation node.

Language Reference & Syntax

Variables & Constants

Inthon enforces strict block scoping. Variables declared inside a block { ... } are bound to that scope and cannot be referenced outside of it.

• Mutable variables are declared with let.
• Immutable constants are declared with const and must be assigned at declaration time. Reassignment or redeclaration throws a compile-time check error.

Types are optionally annotated using a colon (e.g. : str).

// Declaring a mutable string variable
let name: str = "INTHON"

// Declaring a mutable float variable
let version: float = 0.1

// Declaring an immutable constant integer
const max_retries: int = 3

// Declaring typed collections
let models: list[str] = ["gpt-4o", "gemini-3.5", "claude-3"]
let metadata: dict[str, any] = {"accuracy": 0.94, "epochs": 10}

Type System

Inthon features standard primitive types alongside first-class abstractions tailored for data science, neural networks, and agent architectures:

• Primitives: str, int, float, bool, bytes, none, any.
• Agent & Execution Classes: Goal, Plan, ToolCall, ToolResult, Trace, MemoryRef, Approval, Policy.
• Data & Machine Learning Classes: DataFrame, Tensor, Model, Dataset, Embedding.

Control Flow & Closures

Conditional branching uses if-else blocks, while loops use while, and iteration uses for-in:

let threshold = 0.85
let confidence = 0.92

// Conditional branching structure
if confidence > threshold {
    return "Validation Success"
} else {
    return "Validation Failure"
}

Functions are declared using the fn keyword. The virtual machine pushes dynamic activation frames on call frame stacks. Nested functions capture local bindings from outer lexical scopes, establishing closures.

Inthon features an Implicit Return Pipeline. If the last statement inside a block or function scope is a raw expression (i.e. does not end with a semicolon or `return` keyword), it is automatically popped from the VM stack and returned.

// Higher-order function returning a nested closure
fn multiplier(factor: int) -> fn(int) -> int {
    fn inner(x: int) -> int {
        x * factor // Implicitly returns the evaluation of (x * factor)
    }
    return inner
}

let double = multiplier(2)
let result = double(10) // Resolves to 20

Agent Containers

The agent block maps an execution lifecycle. It encapsulates a goal directive, typed inputs/outputs interfaces, capability policies, and the plan instructions:

agent Researcher {
    // Description of agent's execution target
    goal "Retrieve recent papers on room-temperature superconductors"
    
    // Statically typed input interface
    inputs {
        query: str
        limit: int
    }
    
    // Statically typed output interface
    outputs {
        papers: list[dict]
    }
    
    // Explicit tool requirements
    use tool web.search
    
    // Runtime policy constraints (violating these throws PolicyViolationError)
    policy {
        max_tool_calls: 10
        max_cost_usd: 0.05
    }
    
    // The execution body
    plan {
        let raw_results = web.search(query: query, count: limit)
        return raw_results
    }
}

Agent-Native Primitives

Approval Gateways

Approval gateways block critical side-effects (e.g. initiating payment gateways, database writes) until a human-in-the-loop operator explicitly confirms the transaction:

// Halts execution and awaits human verification before invoking stripe.charge
approve stripe.charge before make_payment

When hit, the interpreter suspends thread execution, emits a structured event, and waits for a response.

Episodic Memory (SQLite-Backed)

Episodic memory enables persistence of semantic statements across sessions. Statements are stored inside a local SQLite database, and the engine performs cosine-similarity search over vector embeddings to query matching facts on demand:

// Persist a semantic fact into SQLite database
remember "Superconductors show zero electrical resistance at critical temperatures" in semantic_memory

// Recall the most semantically relevant statement using cosine-similarity search
let fact = recall "superconductor properties" from semantic_memory

Resilient Retries

External API connections are protected via structured retry loops with built-in exponential backoff:

// Attempts block execution up to 3 times, backoff interval grows exponentially
retry 3 with backoff exponential {
    let response = web.search(query)
    guard response.status == 200 // Ensures execution aborts/retries if condition fails
} catch error {
    return "Failed after 3 attempts: " + error.message
}

The backoff interval (in seconds) between retry attempts is calculated as follows:

t_backoff = base × 2^attempt ± jitter

Where base defaults to 1.0, attempt is the retry iteration (0-indexed), and jitter is a randomized offset to prevent request synchronization bottlenecks.

PyBridge Sandbox

To allow developers to utilize standard scientific modules, Inthon provides the PyBridge module import layer. Programs must explicitly declare standard python packages using the use py syntax:

// Import standard modules securely using PyBridge
use py.numpy as np
use py.pandas as pd

let data = [1.0, 2.0, 3.0, 4.0]
let mean = np.mean(data) // Invokes np.mean inside the proxy wrapper

To maintain sandbox integrity, PyBridge implements a two-tier defense:

1. Import Hook Interception: PyBridge injects a custom meta-importer hook inside Python's sys.meta_path. Whenever the script requests a library, the hook verifies the name against a strict allowlist. Unauthorized imports (such as os, sys, subprocess, ctypes, socket, builtins.eval, or builtins.exec) throw a PyBridgeError and halt execution.
2. Attribute-Level Proxy Protection (InthonPyObject): Allowed modules are wrapped inside a proxy object called InthonPyObject. This proxy overrides dunder attribute lookups (__getattribute__, __setattr__). If code attempts to access private properties (e.g. np.__dict__) or traverse namespaces to execute shell commands, the proxy raises a SecurityViolation exception and rolls back changes.

PyBridge Module Policy Matrix

Category	Approved Modules	Blocked Modules
Operating System & Shell	None	os, sys, subprocess, ctypes, builtins.eval, builtins.exec
Network Protocols	None (Use registered tools)	socket, urllib, requests (blocked inside raw execution)
Data & Scientific Math	numpy, pandas, math, json, datetime, collections	Any third-party module containing low-level file write operations

Compiler & VM Architecture

Inthon executes source programs in a multi-stage compilation frontend and virtual machine backend:

1. Lex & Parse: Tokenizes and parses concrete syntax rules using Lark's LALR parser engine.
2. AST Generation: Creates an immutable typed Abstract Syntax Tree representation of declarations and statements.
3. Semantic Analysis: Resolves scope bindings, type constraints, and validates tool/module signatures.
4. Policy Sandbox: Evaluates security configuration limits (rate limits, billing caps, execution timeouts).
5. IR Builder: Serializes the checked AST into a JSON-compatible Intermediate Representation (IR) containing bytecode instructions and constants.
6. Virtual Machine (InthonVM): A custom stack-based virtual machine executing lowered bytecode.

Custom VM Opcodes

Key bytecode instructions evaluated by the InthonVM dispatch loop include:

• LOAD_CONST: Pushes a constant literal onto the stack.
• STORE_NAME: Pops a value and registers it to a local identifier name.
• CALL_FUNCTION: Executes an Inthon-declared function.
• CALL_TOOL: Queries the schema registry and calls host tools.
• APPLY_POLICY: Intercepts scopes to apply resource quota limits.
• APPROVE_GATE: Suspends execution for human confirmation.

Language Grammar (EBNF)

The formal grammar of Inthon v0.1 written in Lark EBNF format:

?start: program
program: statement*

// ─── Statements ──────────────────────────────────────────────────────────────
?statement: import_stmt
          | let_stmt
          | const_stmt
          | fn_decl
          | agent_decl
          | return_stmt
          | approve_stmt
          | remember_stmt
          | forget_stmt
          | recall_stmt
          | guard_stmt
          | retry_stmt
          | eval_stmt
          | if_stmt
          | for_stmt
          | while_stmt
          | expr_stmt

// ─── Import Statements ───────────────────────────────────────────────────────
import_stmt: use_tool_stmt
           | use_py_stmt
           | use_memory_stmt

use_tool_stmt: "use" "tool" dotted_name
use_py_stmt:   "use" "py" "." dotted_name ("as" CNAME)?
use_memory_stmt: "use" "memory" "." dotted_name call_args?

// ─── Variable Declarations ───────────────────────────────────────────────────
let_stmt:   "let" CNAME type_annotation? "=" expr
const_stmt: "const" CNAME type_annotation? "=" expr
type_annotation: ":" type_expr

// ─── Type Expressions ────────────────────────────────────────────────────────
?type_expr: primitive_type
          | collection_type
          | agent_type

primitive_type: PRIMITIVE_TYPE
collection_type: "list" "[" type_expr "]"
               | "dict" "[" type_expr "," type_expr "]"
               | "tuple" "[" type_expr ("," type_expr)* "]"
               | "set" "[" type_expr "]"
agent_type: AGENT_TYPE

// ─── Function Declaration ────────────────────────────────────────────────────
fn_decl: "fn" CNAME "(" param_list? ")" ("->" type_expr)? block
param_list: param ("," param)*
param: CNAME type_annotation? ("= " expr)?

// ─── Agent Declaration ───────────────────────────────────────────────────────
agent_decl: "agent" CNAME "{" agent_body "}"
agent_body: goal_decl? inputs_decl? outputs_decl? import_stmt* policy_block? plan_block
goal_decl:    "goal" STRING
inputs_decl:  "inputs" "{" typed_field+ "}"
outputs_decl: "outputs" "{" typed_field+ "}"
typed_field:  CNAME ":" type_expr
policy_block: "policy" "{" policy_entry* "}"
policy_entry: CNAME ":" (STRING | INT | FLOAT | BOOL_LIT | dotted_name)
plan_block: "plan" "{" statement* "}"

// ─── Control Flow ────────────────────────────────────────────────────────────
return_stmt:  "return" expr?
if_stmt: "if" expr block ("else" (if_stmt | block))?
for_stmt:   "for" CNAME "in" expr block
while_stmt: "while" expr block

// ─── Agent Primitives ────────────────────────────────────────────────────────
approve_stmt:  "approve" dotted_name "before" CNAME
remember_stmt: "remember" expr "in" dotted_name
forget_stmt:   "forget" expr "from" dotted_name
recall_stmt:   expr "=" "recall" STRING "from" dotted_name
guard_stmt:    "guard" expr
retry_stmt:    "retry" INT "with" "backoff" CNAME block catch_block?
catch_block:   "catch" CNAME block
eval_stmt:     "eval" CNAME "against" CNAME "{" eval_criterion+ "}"
eval_criterion: CNAME COMPARISON_OP expr

// ─── Expressions ─────────────────────────────────────────────────────────────
?expr: or_expr
?or_expr: and_expr ("or" and_expr)*
?and_expr: not_expr ("and" not_expr)*
?not_expr: "not" not_expr  -> unary_not
         | comparison
?comparison: add_expr (COMPARISON_OP add_expr)*
COMPARISON_OP: "==" | "!=" | "<" | "<=" | ">" | ">="
?add_expr: mul_expr (ADD_OP mul_expr)*
ADD_OP: "+" | "-"
?mul_expr: unary_expr (MUL_OP unary_expr)*
MUL_OP: "*" | "/" | "%"
?unary_expr: ADD_OP unary_expr  -> unary_minus
           | power_expr
?power_expr: postfix_expr ("**" unary_expr)?
?postfix_expr: primary_expr
             | call_expr
             | member_expr
             | index_expr
             | method_chain

call_expr:    postfix_expr "(" arg_list? ")"
member_expr:  postfix_expr "." CNAME
index_expr:   postfix_expr "[" expr "]"
method_chain: postfix_expr "." CNAME "(" arg_list? ")"
arg_list: arg ("," arg)*
?arg: keyword_arg | positional_arg
keyword_arg: CNAME ":" expr
positional_arg: expr

?primary_expr: INT       -> int_literal
             | FLOAT     -> float_literal
             | STRING    -> string_literal
             | BOOL_LIT  -> bool_literal
             | NONE_LIT  -> none_literal
             | CNAME     -> identifier
             | list_expr
             | dict_expr
             | "(" expr ")"

list_expr: "[" (expr ("," expr)*)? "]"
dict_expr: "{" (kv_pair ("," kv_pair)*)? "}"
kv_pair: expr ":" expr

expr_stmt: assignment | expr
assignment: expr "=" expr

dotted_name: CNAME ("." CNAME)*
call_args:   " (" arg_list? ")"
block:       "{" statement* "}"

// ─── Terminals ───────────────────────────────────────────────────────────────
PRIMITIVE_TYPE: "str" | "int" | "float" | "bool" | "bytes" | "none" | "any"
AGENT_TYPE: "Goal" | "Plan" | "ToolCall" | "ToolResult" | "Trace"
          | "MemoryRef" | "Approval" | "Policy" | "DataFrame"
          | "Tensor" | "Model" | "Dataset" | "Embedding"

BOOL_LIT.2: "true" | "false"
NONE_LIT.2: "none"
CNAME:    /[A-Za-z_][A-Za-z0-9_]*/
STRING:   /\"(?:[^\"\\]|\\.)*\"|'/
INT:      /[0-9]+/
FLOAT:    /[0-9]+\.[0-9]*([eE][+-]?[0-9]+)?/

%ignore /[ \t\r\n]+/
%ignore /\/\/[^\n]*/
%ignore /\/\*.*?\*\//s

Code Examples

1. Hello World (Implicit Returns)

This script defines a standard string greeting function, binds the result to a mutable variable, and uses Inthon's implicit return pipeline to return the final value without a `return` keyword.

// Define a function returning a string type annotation
fn greet(name: str) -> str {
    return "Hello, " + name + "!" // Return concatenation expression
}

// Bind the result of calling greet()
let message = greet("INTHON Developer")

// Implicit Return: Expression is evaluated, popped off the VM stack,
// and returned to the host environment as the final script output.
message

2. Agentic Search & Memory

This example shows an agent declaring a goal directive, setting strict safety policies (allowing network calls and episodic storage), executing a web tool query, persisting the resulting facts in long-term memory, and recalling them semantic-vector search:

// Explicit import of the search capability
use tool web.search

agent ResearchAgent {
    // Declarative execution goal
    goal "Research and store findings in memory"
    
    // Enable local sandbox options
    policy {
        allow_network: true
        allow_memory_persist: true
    }
    
    // Core instruction plan
    plan {
        let query = "agent-level reasoning compiler"
        
        // Execute external tool validation schema
        let results = web.search(query, limit: 1)
        
        // Store results in the SQLite episodic database
        remember results in session
        
        // Query the database using semantic search
        let recalled = recall "compiler" from session
        
        // Output the matching statement
        return recalled
    }
}

3. Secure Python Interop (Pandas Analysis)

Demonstrating PyBridge safe imports. Pandas package is validated against the hook allowlist, and the dataframe is proxied through the InthonPyObject wrapper to intercept illegal attributes:

// Import secure proxy alias
use py.pandas as pd

// Create data structures using allowed numpy/pandas classes
let df = pd.DataFrame([
    {"item": "laptop", "price": 1200},
    {"item": "phone", "price": 800},
    {"item": "mouse", "price": 50}
])

// Summarize dataframe elements via safe method calls
let summary = df.to_dict()

// Implicitly return dictionary summary
summary

4. Human-In-The-Loop Approval Gates

Interrupting a plan routine to demand external confirmation before completing a sensitive charge action:

agent PaymentAgent {
    goal "Process payments with approval gates"
    policy {
        allow_payment: true
    }
    plan {
        // VM halts interpreter loop, emits hitl event, and awaits confirmation
        approve subscription_fee before pay
    }
}

5. Exponential Backoff Retry Loop

Executing a resilient tool search loop, wrapping failures in a retry statement that increases interval delay after each exception:

// Re-attempt plan block up to 3 times on exception
retry 3 with backoff exponential {
    let raw = web.search("artificial intelligence")
    
    // Enforce condition. If false, raises an exception triggering retry
    guard raw.status == 200 
} catch err {
    // Catch final failure block after all attempts exhaust
    return "Failed: " + err.message
}

Benchmarks & Performance

The interpreter and bytecode virtual machine configurations were validated across multiple token utilization, speed, and exploit resistance tests.

Token Prompt Efficiency

By representing plans as structured EBNF code structures rather than raw JSON structures or full natural language specifications, Inthon significantly reduces direct LLM costs:

Task	Natural Language	JSON Plan	INTHON Plan	Token Reduction
Research Report	120 tokens	90 tokens	52 tokens	-56.67%
CSV Summary	95 tokens	80 tokens	54 tokens	-43.16%
Approval Gate	80 tokens	70 tokens	19 tokens	-76.25%

Sandbox Latency & Execution Speed

Compiling Inthon code blocks to IR and executing them on the stack-based virtual machine introduces negligible overhead (< 1ms compile latency), ensuring real-time response speeds.

Workflow	Execution Status	Core VM Latency	Trace Log Size
Hello World	PASS	455.23 ms	1 event
Tool Search	PASS	5.35 ms	5 events
CSV Summary	PASS	590.91 ms	4 events
Agent Research	PASS	3.04 ms	7 events

Sandbox Safety Assertions

The InthonVM sandbox was subjected to 6 distinct exploit classes designed to hijack system shells, bypass billing quotas, or force payment blocks:

Attack Vector	Target Action	Expected Exception	Result
unauthorized_network	Access search API without policy permissions	PolicyViolationError	Blocked (Pass)
unsafe_import_subprocess	Importing subprocess to execute terminal code	PyBridgeError	Blocked (Pass)
unsafe_import_os	Importing os to access filesystem properties	PyBridgeError	Blocked (Pass)
max_tool_calls_exceeded	Exceeding session tool call caps	SandboxViolationError	Blocked (Pass)
max_cost_exceeded	Exceeding cost quotas	SandboxViolationError	Blocked (Pass)
approval_gate_denial	Manually rejecting Payment prompt	ApprovalDeniedError	Blocked (Pass)

External Links

• Official GitHub Repository
• Inthon Website Portal
• Interactive Developer Guide
• Technical Specification and Benchmark Report