Injection is runtime data, so 'compile-time' overstates it. A type system can taint-track — mark untrusted input, block it from a privileged sink. Valuable, but that's enforcement, not detection.
That is true -- the title does not precisely state what Jo is. It bounds the dangers that prompt injection can cause to arbitrary granularity.
I (the author of Jo) built Jo because I kept asking myself: can we solve the sandboxing problem at the language level — one that's actually aware of business logic?
Runtime sandboxes block syscalls, but they can't enforce "only this user's rows" or "only this API endpoint." That's application-level precision, and no sandbox can see it.
Jo's answer is to make capabilities typed parameters. If you haven't received one, you can't use it — the compiler proves this through the whole call graph, at whatever granularity your interfaces define.
This allows programmers to create bounds of arbitrary granularity that can contain the damages that can be caused by prompt injection.
I (the author of Jo) built Jo because I kept asking myself: can we solve the sandboxing problem at the language level — one that's actually aware of business logic?
Runtime sandboxes block syscalls, but they can't enforce "only this user's rows" or "only this API endpoint." That's application-level precision, and no sandbox can see it.
Jo's answer is to make capabilities typed parameters. If you haven't received one, you can't use it — the compiler proves this through the whole call graph, at whatever granularity your interfaces define.
This allows programmers to create bounds of arbitrary granularity that can contain the damages that can be caused by prompt injection.