MASL — Maduka Authorization Specification Language
MASL is a declarative, graph-first authorization schema language for Zanzibar-style authorization systems.
You describe who can do what on which resource in a .mdk file.
maslc compiles it to a compact binary (.mdkc) loaded at runtime by the Zanzibar engine.
namespace commerce
schema 1
subject User
subject Group {
relation {
member: User | Group::member
}
}
resource Store {
relation {
owner: User
staff: User | Group::member
org: Organization
}
grant {
view => owner | staff | org::member
manage => owner | org::manage
delete => owner
}
}
Features
- Purely declarative — no variables, no loops, no conditions.
- Compile-time validation — type resolution, circular alias detection, unreachable grant checks.
- Public Contracts — grants are the public API; relations are implementation details.
- Zero runtime overhead — aliases fully expanded at compile time,
.mdkcloaded once at startup. - Rich tooling —
maslc build,maslc check,maslc fmt,maslc lint,maslc doc,maslc lsp. - VS Code extension — real-time diagnostics powered by the LSP server.
Installation
From crates.io
From source
# Optionally install globally:
Pre-built binaries
Download the latest release from GitHub Releases for:
x86_64-unknown-linux-gnux86_64-apple-darwin/aarch64-apple-darwinx86_64-pc-windows-msvc
Quick Start
1. Create a schema file my_app.mdk:
namespace my_app
schema 1
subject User
resource Document {
relation {
author: User
reviewer: User
}
grant {
view => author | reviewer
edit => author
delete => author
}
}
2. Validate:
3. Compile to binary:
4. Inspect / format / lint:
CLI Reference
maslc <COMMAND> [OPTIONS]
Commands:
build Compile a .mdk schema to a .mdkc binary
check Parse and validate a schema without producing output
fmt Format a .mdk file in place
lint Run the architectural linter
doc Generate markdown documentation from the schema
lsp Start the LSP server (used by editor extensions)
Options:
-h, --help Print help
-V, --version Print version
maslc build
maslc build <INPUT> [--out <OUTPUT>]
Arguments:
<INPUT> Path to the .mdk source file
--out <OUTPUT> Output path for the .mdkc binary [default: <INPUT>.mdkc]
maslc check
maslc check <INPUT>
Runs parsing, semantic analysis, and validation. Exits 0 on success, 1 on error — suitable for CI.
maslc fmt
maslc fmt <INPUT> [--check]
--check Fail if the file is not already formatted (for CI)
maslc lint
maslc lint <INPUT>
Emits architectural warnings (public contracts violations, naming conventions, unused aliases, etc.).
maslc doc
maslc doc <INPUT> [--out <DIR>]
--out <DIR> Output directory for generated markdown [default: ./docs]
VS Code Extension
Install from the VS Code Marketplace or via VSIX:
The extension provides:
- Real-time diagnostics (errors & warnings as you type).
- Syntax recognition for
.mdkfiles. - Auto-closing brackets and comment toggling.
Requires maslc in your PATH, or configure:
"masl.compiler.path": "/usr/local/bin/maslc"
Library Usage (Rust)
If you want to integrate MASL in your application to evaluate authorization queries, use the masl_runtime crate:
[]
= { = "0.1.0" }
Quick Example
use *;
// 1. Define a TupleReader (e.g. connected to your SurrealDB or Postgres database)
;
async
Crate Architecture
This repository is a Cargo workspace. The crates are layered as follows:
maslc (binary)
└── masl_compiler — compilation driver (orchestrates all phases)
├── masl_parser — Pest-based parser, produces AST
├── masl_hir — High-level IR (semantic model)
├── masl_validator — architectural & performance lint checks
├── masl_ir — lowered intermediate representation
└── masl_bytecode — .mdkc binary serialization
masl_runtime — high-performance ReBAC reference runtime
masl_formatter — canonical formatting of .mdk source
masl_linter — standalone linter rules (naming, public contracts)
masl_lsp — LSP server (tower-lsp, stdio transport)
masl_diagnostics — shared diagnostic types (errors, warnings, spans)
| Crate | Description | Publish |
|---|---|---|
maslc |
CLI binary | ✅ |
masl_compiler |
Compiler driver | ✅ |
masl_parser |
Parser + AST | ✅ |
masl_hir |
Semantic HIR | ✅ |
masl_validator |
Architectural validator | ✅ |
masl_ir |
IR types | ✅ |
masl_bytecode |
.mdkc encoder/decoder |
✅ |
masl_runtime |
ReBAC reference engine | ✅ |
masl_formatter |
Source formatter | ✅ |
masl_linter |
Linter rules | ✅ |
masl_lsp |
LSP server | ✅ |
masl_diagnostics |
Shared diagnostics | ✅ |
Examples
See the examples/ directory:
| File | Description |
|---|---|
commerce.mdk |
Multi-tenant e-commerce schema (stores, products, orders) |
Documentation
- MASL Book — language guide (concepts, operators, best practices).
- RFCs — design specifications and architectural decisions.
- crates.io docs — generated API documentation.
Contributing
- Fork the repository.
- Create a feature branch:
git checkout -b feat/my-feature. - Run checks before committing:
- Open a pull request.
New language features must be discussed in an RFC first — see rfcs/.
License
MIT — see LICENSE.