Update

Author: bracevac

docs/_docs/reference/experimental/capture-checking/polymorphism.md

@@ -11,6 +11,9 @@ Capture checking supports capture-polymorphic programming in two complementary s
 1.	**Implicit** capture polymorphism, which is the default and has minimal syntactic overhead.
 1.	**Explicit** capture polymorphism, which allows programmers to abstract over capture sets directly through explicit generic parameters.
 
+The difference between implicit and explicit capture polymorphism is analogous to the difference
+between polymorphism through subtyping versus parametric polymorphism through type parameters/generics.
+
 ### Implicit Polymorphism
 
 In many cases, such a higher-order functions, we do not need new syntax to be polymorphic over
@@ -77,7 +80,8 @@ This representation is an implementation detail and should not be used directly.
 
 #### Instantiation and inference
 Capture-set variables are inferred in the same way as ordinary type variables.
-They can also be instantiated explicitly:
+They can also be instantiated explicitly with capture-set literals or other
+capture-set variables:
 ```scala
 class Async extends caps.SharedCapability
 
@@ -94,7 +98,7 @@ others. The resulting `allListeners` method reflects this relationship.
 
 #### Transforming collections
 A typical use of explicit capture parameters arises when transforming collections of capturing
-values—such as `Future`s. In these cases, the API must guarantee that whatever capabilities are
+values, such as `Future`s. In these cases, the API must guarantee that whatever capabilities are
 captured by the elements of the input collection are also captured by the elements of the output.
 
 The following example takes an unordered `Set` of futures and produces a `Stream` that yields their

docs/_docs/reference/experimental/capture-checking/scoped-caps.md

@@ -4,15 +4,101 @@ title: "Scoped Caps"
 nightlyOf: https://docs.scala-lang.org/scala3/reference/experimental/capture-checking/scoped-caps.html
 ---
 
-## Scoped Universal Capabilities
+## Introduction
 
-When discussing escape checking, we referred to a scoping discipline. That is, capture sets can contain only capabilities that are visible at the point where the set is defined. But that raises the question: where is a universal capability `cap` defined? In fact, what is written as the top type `cap` can mean different capabilities, depending on scope. Usually a `cap` refers to a universal capability defined in the scope where the `cap` appears.
+When discussing [escape checking](basics.md#escape-checking), we referred to a scoping discipline. That is, capture sets can contain only capabilities that are visible at the point where the set is defined. But that raises the question: where is a universal capability `cap` defined? In fact, what is written as the top type `cap` can mean different capabilities, depending on scope.
 
-A useful mental model is to think of `cap` as a "container" that can _absorb_ concrete capabilities. When you write `T^` (shorthand for `T^{cap}`), you're saying "this value may capture some capabilities that will flow into this `cap`." Different `cap` instances in different scopes are different containers: a capability that flows into one doesn't automatically flow into another. We will further expand on this idea later when discussing [separation checking](separation-checking.md).
+## Different Kinds of Caps
 
-### Existential Binding
+We will discuss three distinct kinds of `cap` in this chapter:
 
-Special rules apply to `cap`s in method and function parameters and results. For example, take this method:
+**Local caps**: Every class, method body, and block has its own local `cap`. It abstracts over the capabilities used inside that scope, representing them by a single name to the outside world. Local caps form a subcapturing hierarchy based on lexical nesting.
+
+**Parameter caps**: When `cap` appears in a function parameter type (e.g., `def foo(x: T^)`), it gets its own cap scoped to that parameter. At call sites, parameter caps are instantiated to the actual capabilities passed in.
+
+**Result caps**: When `cap` appears in a function result type (e.g., `def foo(x: T): U^`), it becomes an existentially-bound cap that describes what the caller receives. Unlike local caps, result caps do _not_ subsume the enclosing scope's `cap`.
+
+So, when writing `T^` (shorthand for `T^{cap}`), `cap` is a way of saying "captures something" without
+naming what it is precisely, and depending of the context occurrence of such `cap`s, the capture checker imposes
+restrictions on which capabilities are allowed to flow into them. We will further expand on this idea
+(and other kinds of `cap`) later when discussing [separation checking](separation-checking.md).
+
+Another analogy for the different `cap`s is that they are some form of implicitly named existential or abstract self-capture set attached to elements of the program structure, e.g., scopes, parameters, or return values.
+
+## Subcapturing and Levels
+
+Local `cap`s form a subcapturing hierarchy based on lexical nesting: a nested scope's local `cap` subsumes its enclosing scope's local `cap`. This makes sense because the inner scope can use any capability available in the outer scope
+as well as locally defined ones. At the top level, there is a true universal `cap` — the local `cap` of the global scope — which all other local `cap`s ultimately subsume:
+
+```scala
+// top level: the global `cap`
+class Outer: // has local cap₁
+  val f1: File^ = File("f1") // File^{cap₁}
+  def method() = // has local cap₂
+    val f2: File^ = File("f2") // File^{cap₂}
+    var ref: () => Unit = null // () ->{cap₂} Unit, can accept what can flow into cap₂
+    val closure = () => // has local cap₃
+      val f3: File^ = File("f3") // File^{cap₃}
+      val f4: File^ = f2 // ok, because {cap₂} <: {cap₃}
+      val f5: File^ = f1 // ok, because {cap₁} <: {cap₃}
+      ref = () => f3.read() // error, f3 is at the level of cap₃ and cannot flow into cap₂
+      ...
+```
+
+Each capability has a _level_ corresponding to the local `cap` of its defining scope. The level determines where a capability can flow: it can flow into `cap`s at the same level or more deeply nested, but not outward to enclosing scopes (which would mean a capability lives longer than its lexical lifetime). The compiler computes a capability's level by walking up the ownership chain until reaching a symbol that represents a level boundary. Level boundaries are:
+- **Classes** (but not inner non-static module classes)
+- **Methods** (but not accessors or constructors)
+
+Local values like `f1`, `f2`, `ref`, etc., don't define their own levels. They inherit the level of their enclosing method or class. For example, this means:
+- `f1` is at `Outer`'s level, i.e., `f` subcaptures local `cap₁`.
+- `f2` and `ref` are both at `method`'s level, i.e., both subcapture local `cap₂`.
+- By lexical lifetime, `{cap₂} <: {cap₃}` holds, but it does **not** hold that `{cap₃} <: {cap₂}`. Hence,
+we cannot assign the closure to `ref`, because `{f3}` is subcapture-bounded by `{cap₃}`.
+
+### Charging Captures
+
+When a capability is used, it must be checked for compatibility with the capture-set constraints of all enclosing scopes. This process is called _charging_ the capability to the environment.
+
+```scala
+def outer(fs: FileSystem^): Unit =
+  def inner(): () ->{fs} Unit =
+    () => fs.read()  // fs is used here
+  inner()
+```
+
+When the capture checker sees `fs.read()`, it verifies that `fs` can flow into each enclosing scope:
+1. The immediately enclosing closure `() => fs.read()` must permit `fs` in its capture set ✓
+2. The enclosing method `inner` must account for `fs` (it does, via its capture set) ✓
+3. The enclosing method `outer` must account for `fs` (it does, via its parameter) ✓
+
+If any scope refuses to absorb the capability, capture checking fails:
+
+```scala
+def process(fs: FileSystem^): Unit =
+  val f: () -> Unit = () => fs.read()  // Error: fs cannot flow into {}
+```
+
+The closure is declared pure (`() -> Unit`), meaning its local cap is the empty set. The capability `fs` cannot flow into an empty set, so the checker rejects this.
+
+### Visibility and Widening
+
+When capabilities flow outward to enclosing scopes, they must remain visible. A local capability cannot appear in a type outside its defining scope. In such cases, the capture set is _widened_ to the smallest visible super capture set:
+
+```scala
+def test(fs: FileSystem^): Logger^ =
+  val localLogger = Logger(fs)
+  localLogger  // Type widens from Logger^{localLogger} to Logger^{fs}
+```
+
+Here, `localLogger` cannot appear in the result type because it's a local variable. The capture set `{localLogger}` widens to `{fs}`, which covers it (since `localLogger` captures `fs`) and is visible outside `test`. In effect, `fs` flows into the result's cap instead of `localLogger`.
+
+## Existential Binding in Function Types
+
+So far we've discussed local `cap`s that follow the lexical nesting hierarchy. But `cap` can also appear in function parameter and result types, where special binding rules apply.
+
+### Result Caps
+
+Consider this method:
 
 ```scala
 def makeLogger(fs: FileSystem^): Logger^ = new Logger(fs)
@@ -32,7 +118,29 @@ makeLogger: ∀cap₁.(fs: FileSystem^{cap₁}): ∃cap₂. Logger^{cap₂}
 ```
 There's a connection with [capture polymorphism](polymorphism.md) here. `cap`s in function parameters behave like additional capture parameters that can be instantiated at the call site to arbitrary capabilities.
 
-### Function Types
+### Why Result Caps Don't Subcapture Local Caps
+
+Result `cap`s do _not_ subsume the enclosing scope's local `cap`. Result `cap`s are bound at the function boundary, not within the function body:
+
+```scala
+def outer(): () -> File^ =
+  val localFile: File^ = openFile()
+  () => localFile  // Error!
+```
+
+The return type `() -> File^` contains an existentially-bound result cap. If this result cap subcaptured `outer`'s local cap, then `localFile` could flow into it, and the local file would escape. The whole point of the existential is to describe what the _caller_ receives — it must not allow capabilities from the callee's scope to leak out.
+
+In contrast, a local cap inside a function body _does_ subcapture the enclosing local cap:
+
+```scala
+def outer(): Unit =
+  val f: File^ = openFile()  // This ^ is outer's local cap
+  val g: () => Unit = () => f.read()  // OK: closure's local cap subcaptures outer's local cap
+```
+
+Here the closure's local cap can absorb `f` because both are nested within `outer`.
+
+### Expansion Rules for Function Types
 
 The conventions for method types carry over to function types. A dependent function type
 ```scala
@@ -44,8 +152,7 @@ is interpreted as having an existentially bound `cap` in the result, like this:
 ```
 The same rules hold for the other kinds of function arrows, `=>`, `?->`, and `?=>`. So `cap` can in this case absorb the function parameter `x` since `x` is locally bound in the function result.
 
-However, the expansion of `cap` into an existentially bound variable only applies to functions that use the dependent function style syntax, with explicitly named parameters. Parametric functions such as `A => B^` or
-`(A₁, ..., Aₖ) -> B^` don't bind the `cap` in their return types in an existential quantifier. For instance, the function
+However, the expansion of `cap` into an existentially bound variable only applies to functions that use the dependent function style syntax, with explicitly named parameters. Parametric functions such as `A => B^` or `(A₁, ..., Aₖ) -> B^` don't bind the `cap` in their return types in an existential quantifier. For instance, the function
 ```scala
 (x: A) -> B -> C^
 ```
@@ -73,56 +180,11 @@ To summarize:
   - Occurrences of `cap` elsewhere are not translated. They can be seen as representing an existential in the
     scope of the definition in which they appear.
 
-## Levels and Escape Prevention
-
-Each capability has a _level_ corresponding to where it was defined. The level determines where a capability can flow: it can flow into `cap`s at the same level or more deeply nested, but not outward to enclosing scopes (which would mean a capability lives longer than its lexical lifetime). Later sections on [capability classifiers](classifiers.md) will add a controlled mechanism that permits escaping/flowing outward for situations
-where this would be desirable.
-
-### How Levels Are Computed
-
-A capability's level is determined by its _level owner_, which the compiler computes by walking up the ownership chain until reaching a symbol that represents a level boundary. Level boundaries are:
-- **Classes** (but not inner non-static module classes)
-- **Methods** (but not accessors or constructors)
-
-Consider this example:
+Later sections on [capability classifiers](classifiers.md) will add a controlled mechanism that permits capabilities to escape their level for situations where this would be desirable.
 
-```scala
-def outer(c1: Cap^) =                // level: outer
-  val x = 1                            // level: outer (vals don't create levels)
-  var ref: () => Unit = () => ()
-
-  def inner(c2: Cap^) =                // level: inner
-    val y = 2                            // level: inner
-    val f = () => c2.use()
-    ref = f                              // Error: c2 would escape its level
-
-    class Local:                       // level: Local
-      def method(c3: Cap^) =             // level: method
-        val z = c3                         // level: method
-```
-
-Local values like `x`, `y`, and `z` don't define their own levels. They inherit the level of their enclosing method or class. This means:
-- `c1` and `ref` are both at `outer`'s level
-- `c2` and `f` are both at `inner`'s level
-- `c3` and `z` are both at `method`'s level
-
-### The Level Check
-
-A capability can flow into a `cap` only if that `cap`'s scope is _contained in_ the capability's level owner. In the example above, `ref.set(f)` fails because:
-- `ref`'s type parameter has a `cap` that was instantiated at `outer`'s level
-- `f` captures `c2`, which is at `inner`'s level
-- `outer` is not contained in `inner`, so `c2` cannot flow into `ref`'s `cap`
-
-This ensures capabilities flow "inward" to more nested scopes, never "outward" to enclosing ones.
-
-### Comparison with Rust Lifetimes
+## Comparison with Rust Lifetimes
 
-Readers familiar with Rust may notice similarities to lifetime checking. Both systems prevent
-references from escaping their valid scope. In Rust, a reference type `&'a T` carries an explicit
-lifetime parameter `'a`. In Scala's capture checking, the lifetime is folded into the capability
-name itself: `T^{x}` says "a `T` capturing `x`," and `x`'s level implicitly determines how long this
-reference is valid. A capture set then acts as an upper bound on the lifetimes of all the
-capabilities it contains.
+Readers familiar with Rust may notice similarities to lifetime checking. Both systems prevent references from escaping their valid scope. In Rust, a reference type `&'a T` carries an explicit lifetime parameter `'a`. In Scala's capture checking, the lifetime is folded into the capability name itself: `T^{x}` says "a `T` capturing `x`," and `x`'s level implicitly determines how long this reference is valid. A capture set then acts as an upper bound on the lifetimes of all the capabilities it contains.
 
 Consider a `withFile` pattern that ensures a file handle doesn't escape:
 
@@ -162,46 +224,9 @@ In both cases, the type system prevents the handle from escaping the callback. R
 The key analogies are:
 - **Capability name ≈ Lifetime parameter**: Where Rust writes `&'a T`, Scala writes `T^{x}`. The capability `x` carries its lifetime implicitly via its level.
 - **Capture set ≈ Lifetime bound**: A capture set `{x, y}` bounds the lifetime of a value to be no longer than the shortest-lived capability it contains.
-- **Level containment ≈ Outlives**: Rust's `'a: 'b` (a outlives b) corresponds to Scala's level check (inner scopes are contained in outer ones).
+- **Level containment ≈ Outlives**: Rust's `'a: 'b` (a outlives b) corresponds to Scala's level check (outer scopes can
+flow into inner ones).
 
 The key differences are:
 - **What's tracked**: Rust tracks memory validity (preventing dangling pointers). Scala CC tracks capability usage (preventing unauthorized effects).
-- **Explicit vs. implicit**: Rust lifetimes are explicit parameters (`&'a T`). Scala levels are computed automatically from program structure: you name the capability, not the lifetime.
-
-## Charging Captures to Enclosing Scopes
-
-When a capability is used, it must be checked for compatibility with the capture-set constraints of
-all enclosing scopes. This process is called _charging_ the capability to the environment.
-
-```scala
-def outer(fs: FileSystem^): Unit =
-  def inner(): () ->{fs} Unit =
-    () => fs.read()  // fs is used here
-  inner()
-```
-
-When the capture checker sees `fs.read()`, it verifies that `fs` can flow into each enclosing scope:
-1. The immediately enclosing closure `() => fs.read()` must permit `fs` in its capture set ✓
-2. The enclosing method `inner` must account for `fs` (it does, via its result type) ✓
-3. The enclosing method `outer` must account for `fs` (it does, via its parameter) ✓
-
-If any scope refuses to absorb the capability, capture checking fails:
-
-```scala
-def process(fs: FileSystem^): Unit =
-  val f: () -> Unit = () => fs.read()  // Error: fs cannot flow into {}
-```
-
-The closure is declared pure (`() -> Unit`), meaning its `cap` is the empty set. The capability `fs` cannot flow into an empty set, so this is rejected.
-
-### Visibility and Widening
-
-When capabilities flow outward to enclosing scopes, they must remain visible. A local capability cannot appear in a type outside its defining scope. In such cases, the capture set is _widened_ to the smallest visible super capture set:
-
-```scala
-def test(fs: FileSystem^): Logger^ =
-  val localLogger = Logger(fs)
-  localLogger  // Type widens from Logger^{localLogger} to Logger^{fs}
-```
-
-Here, `localLogger` cannot appear in the result type because it's a local variable. The capture set `{localLogger}` widens to `{fs}`, which covers it (since `localLogger` captures `fs`) and is visible outside `test`. In effect, `fs` flows into the result's `cap` instead of `localLogger`.
+- **Explicit vs. implicit**: Rust lifetimes are explicit parameters (`&'a T`). Scala levels are computed automatically from program structure: you name the capability, not the lifetime.