Blake Burns Technologies Inc.  ·  v1.0  ·  Phase 6

Small
World.
Vast
Power.

// a programming language named after the most famous dwarf planet

Pluto is a compiled, capability-secure, actor-concurrent programming language built in Rust. Like its namesake — small in size, enormous in significance — Pluto delivers production-grade safety from a vocabulary you can hold in your head.

Explore the Language See Features
Astronomy × Engineering

Where Pluto Lives

5.9 billion km from the Sun, orbiting in the Kuiper Belt. Discovered 1930, reclassified 2006, immortalised by New Horizons in 2015. Our language carries that same spirit — frontier technology, quietly groundbreaking.

0× 10⁶ kmDistance from Sun
0km diameterSmaller than our Moon
0Earth YearsOrbital Period
0Known MoonsCharon leads them
0CE DiscoveryClyde Tombaugh
The Language

A Spacecraft
for Your Programs

Pluto compiles your source to bytecode, runs it on a Rust-native VM, and gets out of the way. The surface is small enough to learn in an afternoon — capsules for objects, orbit for loops, explore/divert for errors.

Under the hood the VM runs a mark-sweep GC, an M:N actor scheduler, and a RASP security engine that intercepts every I/O call. Phase 6 adds the time module — timestamps, formatting, timers, and ISO 8601 parsing, all from std, no external crates. The language literally cannot execute a network request without a permit declaration.

Ph.0
Foundation
literals · arithmetic · orbit · if/else · clip
Ph.1
Functions & Lists
recursion · closures · first-class functions
Ph.2
Capsules
objects · methods · inheritance · super calls
Ph.3
Error Handling
explore/divert · jettison · pattern matching
Ph.4
RASP I/O
capability-gated fs · networking · GC
Ph.5
Actor Concurrency
spawn · send · receive · deadlock detection
Ph.6
Datetime
time.now · time.format · time.diff · time.sleep · time.parse · time.components
mission_control.plt
// Pluto v1.0 — capability-secure language · Phase 6

capsule Telemetry {
  altitude
  velocity

  report() {
    return self.altitude * self.velocity
  }
}

system MissionControl {
  permit fs.read("/data/telemetry")
  permit net.transmit("https://api.nasa.gov")
  permit time.sleep("*")

  monitor(probe_id) {
    msg = receive
    transmit(msg)
  }

  launch() {
    t = Telemetry { altitude: 5906, velocity: 4.74 }
    transmit(t.report())

    // Phase 6: log current UTC time
    launch_ts = time.now()
    transmit(time.format(launch_ts, "[%Y-%m-%d %H:%M:%S UTC] launch"))

    spawn monitor("new-horizons")

    // Phase 6: measure I/O latency
    t0 = time.now()
    explore {
      data = fs.airlock("/data/telemetry/pluto.log")
      transmit(data)
    } divert(err) {
      transmit(err)
    }
    elapsed = time.diff(t0, time.now()) * 1000
    transmit(elapsed)   // ms elapsed

    // Phase 6: countdown with sleep
    n = 3
    orbit (n > 0) {
      transmit(n)
      time.sleep(1)
      n = n - 1
    }
    transmit("ignition")
  }
}
Architecture

Compiled to
Bytecode. Run in Rust.

The pipeline is Lexer → Parser → Analyzer → Compiler → VM. The compiler emits a compact bytecode chunk with a constant pool. The VM executes with a stack machine — fast, simple, auditable.

The RASP engine normalizes every tainted string through an iterative URL-decode loop before running ~80 regex rules. Inputs needing more than 8 decode passes to stabilize are blocked outright — over-encoding is itself a signal of attack.

pipeline.txt
// Compilation & execution pipeline

  source.plt
       │
       ▼
  Lexer      // logos · zero-copy tokenization
  Token stream
       │
       ▼
  Parser     // recursive descent · AST
  Program AST
       │
       ▼
  Analyzer   // capability check · static security
  Verified AST
       │
       ▼
  Compiler   // bytecode emit · constant pool
  Chunk { code[], constants[] }
       │
       ▼
  Scheduler  // M:N actor runtime · PID registry
       │
       ▼
  VM         // stack machine · GC · RASP engine
       │
       ▼
  Output + Security
Capabilities

Built for the Frontier

🛡
Capability-Based Security

Every I/O call requires a static permit before a single instruction runs. The analyzer rejects unpermitted access at compile time — not at runtime, not with exceptions.

compile-time
🔒
RASP Self-Protection

80+ rules across SQL injection, XSS, command injection, SSRF, XXE, and WAF-bypass patterns. Tainted strings are normalized before scanning — encoding tricks collapse first.

runtime
Actor Concurrency

spawn, send, receive. Each actor owns an isolated VM heap — no shared memory, no data races. M:N scheduler with deadlock detection runs on all available cores.

phase 5
🪐
Capsule Inheritance

Object-oriented via capsules — single inheritance, super dispatch, first-class closures with mutable upvalue capture that persists across calls.

phase 2
🌌
Mark-Sweep GC

Heap objects (capsules, lists, closures) managed automatically. The GC threshold doubles after each collection cycle, amortising overhead across bursty allocation patterns.

automatic
🔭
Taint Tracking

Every string from file or network I/O is marked tainted. Taint propagates through operations. At every I/O boundary, tainted strings are normalized and re-scanned.

security
🎯
Pattern Matching

match supports numeric literals, strings, Vacuum, capsule type-check, binding variables, and wildcards. Arms short-circuit; clean exhaustive syntax.

phase 3
🌊
explore / divert

Pluto's error model: explore the risky path, divert when something is jettisoned. Full stack and locals unwinding with a clean error binding.

phase 3
Native Compilation

pluto compile serialises bytecode + function tables, generates a standalone Rust project, and emits a fully native binary. No interpreter at deploy time.

aot
🕐
Datetime Module

Phase 6 adds time.now(), time.format(), time.diff(), time.sleep(), time.parse(), and time.components(). Timestamps are Unix epoch Floats — no special types, no external crates, all pure std.

phase 6
📅
21 Format Tokens

time.format(ts, fmt) supports %Y %m %d %H %M %S %f %A %a %B %b %I %p %P %Z %s %Q %% %n %t %e — ISO, log-style, human-readable, 12-hour, abbreviated, and millisecond-precision output.

phase 6
Timers & Stopwatches

Measure elapsed time with time.diff(a, b) — returns b − a in seconds (fractional, negative when b is earlier). time.sleep(secs) blocks an actor for a precise duration. Needs permit time.sleep.

phase 6
RASP Engine

Security at Every Altitude

Three independent layers. None can be bypassed by the program being run.

L1Capability SystemCompile time
L2Taint PropagationVM runtime
L3RASP Rule EngineI/O boundary
NNormalization PipelinePre-scan
① Iterative URL-decode · max 8 passes · excess = BLOCK
② Unicode fullwidth fold (select → select)
③ Null-byte strip
④ Whitespace collapse
⑤ HTML entity decode (&lt; → < etc.)
⑥ Lowercase
Threat Coverage

Every Attack Vector
Accounted For

The rule engine covers the OWASP Top 10 and beyond. Path rules fire before every filesystem call. Payload rules run on every string crossing an I/O boundary. Header rules protect every network send.

SQL InjectionXSSCommand Injection Path TraversalSSRFXXE LDAP InjectionSSTIHeader Injection Log InjectionShell UploadCRLF Injection HTTP SmugglingOpen RedirectCredential Leak Double EncodingUnicode BypassNull Byte WAF BypassDOM SinksReverse Shells
Language Design

Keywords from the Cosmos

Every keyword in Pluto is themed to its namesake. The language speaks the language of space exploration.

orbitLoop / WhileRepeat while a condition holds — like Pluto completing one orbit every 248 Earth years.
capsuleClass / ObjectA sealed, pressure-rated unit of data and behaviour. Fields, methods, inheritance.
transmitPrint / OutputSend data outward — like a probe transmitting telemetry across the void of space.
jettisonThrow / ErrorEject an error payload. Caught by the nearest explore/divert handler or terminates the actor.
exploreTry BlockVenture into uncertain territory. If something goes wrong, the divert block handles the fallout.
divertCatch BlockChange course when the explore block jettisons. The error value is bound to your variable.
dockImport / UseDock with a module — establish a connection and bring its capabilities aboard.
airlockfs.airlock (Read)Pass data through a security boundary. Every byte is scanned by the RASP engine.
permitCapability GrantGrant an explicit I/O capability. Without it the analyzer refuses to compile the call.
spawnStart ActorLaunch a new actor into the scheduler. Isolated heap, own mailbox, parallel execution.
receiveAwait MessageBlock the current actor until a message arrives in its mailbox. Scheduler yields the thread.
clipBreak LoopExit the innermost orbit immediately — compiled to a patched jump to the loop's end IP.
time.nowCurrent TimestampReturns the current Unix epoch as a Float with millisecond precision. No permit needed.
time.formatFormat DatetimeRender a timestamp with strftime-style tokens — %Y %m %d %H %M %S %f %A %B and more.
time.diffTime DifferenceCompute b − a in seconds. Positive when b is later, negative when earlier. Use for stopwatches and rate limiting.
time.sleepBlock / DelaySuspend the current actor thread for a given number of seconds. Sub-second precision. Requires permit time.sleep.
time.parseParse ISO 8601Convert "YYYY-MM-DDTHH:MM:SS" or "YYYY-MM-DD" strings into a Unix epoch Float. Jettisons on bad input.
time.componentsDecompose TimestampReturns a CSV String: year, month, day, hour, minute, second, weekday number, weekday name, month name, unix int, millis.
Phase 5

Actors in Orbit

Each actor is an isolated VM with its own heap, IP register, and mailbox. Messages are primitive values — no shared memory, no data races. The M:N scheduler distributes work across all CPU cores.

Phase 6 — New

Time Module

Six functions for everything temporal — current time, formatting, elapsed measurement, sleeping, parsing, and calendar decomposition. All UTC. All pure std. Timestamps are just Floats.

time.now()
Returns current Unix epoch as a Float with ms precision. No permit.
→ Float e.g. 1716124800.537
time.format(ts, fmt)
Render a timestamp with 21 strftime-style tokens. No permit.
→ String e.g. "2026-05-19 14:30:00"
time.diff(a, b)
Compute b − a in seconds. Negative when b is earlier. No permit.
→ Float (positive = b later)
time.sleep(secs)
Block the actor thread. Sub-second precision. Requires permit time.sleep.
→ Vacuum
time.parse(s)
ISO 8601 string → Unix Float. Accepts T or space separator, date-only, Z suffix. No permit.
→ Float jettisons on bad input
time.components(ts)
Decompose timestamp into CSV: year, month, day, hour, min, sec, weekday num, weekday name, month name, unix int, ms.
→ String CSV
live clock · time.now() simulation
time_demo.plt 
system TimeDemo {
  permit time.sleep("*")

  launch() {
    // Current time in multiple formats
    now = time.now()
    transmit(time.format(now,
      "%Y-%m-%dT%H:%M:%S"))
    transmit(time.format(now,
      "%A, %B %d %Y %I:%M %p"))

    // Stopwatch
    t0 = time.now()
    i = 0
    orbit (i < 1000000) { i = i + 1 }
    ms = time.diff(t0, time.now()) * 1000
    transmit(ms)   // elapsed ms

    // Parse a historical date
    flyby = time.parse(
      "2015-07-14T11:49:57")
    days = time.diff(flyby, now) / 86400
    transmit(days)  // days since Pluto flyby

    // Countdown
    n = 3
    orbit (n > 0) {
      transmit(n)
      time.sleep(1)
      n = n - 1
    }
    transmit("ignition!")
  }
}
Format Tokens
%Y 4-digit year
%m month 01-12
%d day 01-31
%H hour 00-23
%M minute 00-59
%S second 00-59
%f milliseconds
%A weekday name
%B month name
%I 12-hour clock
%p AM / PM
%% literal %

The Smallest Planet.
The Biggest Ideas.

Pluto v1.0 — Built by Blake Burns Technologies Inc.

Read the Docs Download now