This paper addresses core challenges in stateful resource management—alias safety, limited expressiveness, and constrained concurrency—by introducing a flow-sensitive revocable capability mechanism. The mechanism decouples capability lifetimes from lexical scoping, enabling dynamic capability provisioning, delegation, and revocation while preserving type safety and supporting fine-grained state control. It constitutes the first extension of scope-based capability systems to flow-sensitive type-level state tracking, unifying the security guarantees of lexical scoping with runtime flexibility and enabling safe state transitions in alias-rich environments. Implemented as an extension to the Scala 3 compiler, it leverages path-dependent types and implicit resolution for static verification. Evaluation across file I/O, lock protocols, DOM construction, and session types demonstrates the mechanism’s soundness, expressiveness, and practical utility.

Managing stateful resources safely and expressively is a longstanding challenge in programming languages, especially in the presence of aliasing. While scope-based constructs such as Java's synchronized blocks offer ease of reasoning, they restrict expressiveness and parallelism. Conversely, imperative, flow-sensitive management enables fine-grained control but demands sophisticated typestate analyses and often burdens programmers with explicit state tracking. In this work, we present a novel approach that unifies the strengths of both paradigms by extending flow-insensitive capability mechanisms into flow-sensitive typestate tracking. Our system decouples capability lifetimes from lexical scopes, allowing functions to provide, revoke, and return capabilities in a flow-sensitive manner, based on the existing mechanisms explored for the safety and ergonomics of scoped capability programming. We implement our approach as an extension to the Scala 3 compiler, leveraging path-dependent types and implicit resolution to enable concise, statically safe, and expressive typestate programming. Our prototype generically supports a wide range of stateful patterns, including file operations, advanced locking protocols, DOM construction, and session types. This work demonstrates that expressive and safe typestate management can be achieved with minimal extensions to existing capability-based languages, paving the way for more robust and ergonomic stateful programming.