Verifiable Spec Language
aglang turns reviewed architecture specifications into artifacts that humans can read and agents can execute against.
Write architecture intent once, compile it into machine-checkable artifacts, and let humans, agents, and CI use the same truth. Install: npm install -g @collivity/aglang
npm install -g @collivity/aglang
aglc install-agent-skillThen create or refresh the architecture interface for a repo:
aglc add .
aglc generate . --out architecture.ag
aglc compile architecture.ag --out architecture.o
aglc emit-context --arch architecture.o --out AGENTS.md
aglc emit-skill --arch architecture.o --out skill.jsonAfter that, agents and humans use the same checks:
aglc check-file --arch architecture.o --file src/foo.ts --json
aglc check --arch architecture.o --project . --diff <ref> --jsonaglang is a verifiable specification language for agents and humans.
You describe components, nodes, contracts, state machines, and rules in a .ag file. aglc compiles that specification into architecture.o, extracts deterministic facts from the repository, applies reviewed semantic queries from .agq.yml, and checks the resulting model with Z3-backed rules and deterministic policy gates.
The important point: engineers, agents, and CI all check the same machine-readable architecture truth, not three separate copies of it.
The first-page model is intentionally simple:
.ag, .agq.yml, and generated context before trusting them.aglc explain --violation <id> --json.aglc check does not call an LLM. Humans and agents can help author the spec or semantic queries, but the verification run uses committed source artifacts.
aglang is strongest where architecture intent can be stated as facts and rules:
machine blocks.The verification surface is made of reviewable files and machine-readable outputs:
.ag is the architecture source of truth.architecture.o is the compiled checked artifact..agq.yml files are the semantic layer over deterministic graph facts.AGENTS.md and skill.json are generated context for coding agents.Real architecture drift rarely stays inside one package. A release workflow, public API, generated docs, package metadata, and service implementation can live in different repositories while still representing one architecture decision.
aglang lets a reviewed architecture contract coordinate those surfaces. Components can carry repo: metadata, change policies can require related files to move together, and the same architecture.o can be used by humans, CI, and agents working on different slices of a system.
If you want maximum value from aglang, treat generated specs and queries as drafts. The reviewed .ag, .agq.yml, and generated verification artifacts are the product.
aglc request-scan --project /path/to/projectAn agent can use the emitted task packet to inspect the repo, propose architecture.proposed.ag, propose .agq.yml semantic queries, and write review notes. Humans approve architecture intent before enforcement. You can also write architecture.ag by hand.
Refine component boundaries, runtime nodes, contracts, and invariants so they match the real system rather than only the file tree.
aglc compile architecture.agaglc check-file --arch architecture.o --file src/foo.cs --json
aglc check --arch architecture.o --project . --diff <ref> --jsonUse --diff <ref> for the change you're actually making — it diffs against the base branch/commit and is the only mode that can catch change_policy violations. Reserve --all for a full-repo baseline check; it marks every file "touched," which makes it structurally unable to tell whether a companion file was really updated alongside the one that changed.
The same checked artifact can run locally and in CI. Humans and agents both hit the same gate.
Not every declaration is enforced the same way.
| Level | Used for | Meaning |
|---|---|---|
formal_z3 | deny flow, deny reach, require flow, require operation, deny dataflow, data_policy, trust_policy, di_policy, permission, change_policy, machine, value_policy, operation_policy, event_policy | Checked with solver-backed constraints when extractors or reviewed queries produce definite evidence. |
deterministic_policy | contract, workflow_policy | Checked by deterministic gates with exact diagnostics. |
formal_z3 | require encryption / deny unencrypted flow | Blocks only when deterministic extractors or reviewed .agq.yml files emit definite unencrypted-flow evidence. |
That distinction is part of the contract with users: aglang should say clearly what is proven, what is policy-checked, and what is only guidance.
Agents drift when they optimize locally and forget system intent. Subagents drift even faster because they usually operate with less context.
aglang helps by moving architecture intent out of the prompt and into a checked artifact:
AGENTS.md and architecture.ocheck-fileThis does not remove the need for architecture review. It gives that review an executable form.
Request a repository scan:
aglc request-scan --project /path/to/your/projectaglc request-scan writes an agent task packet. The agent does semantic scanning and proposal work; aglc validates only approved .ag and .agq.yml artifacts. Full getting-started guide →