I've been studying and learning about object-capability systems for over 10 years. I firmly believe that ocaps as a reasoning principle in the language is the right way to go for building secure systems.
Following Mark Miller's E language, David Wagner et al's Joe-E, I'm building a typed ocaps language:
In essence it is just a simple ocaps language with an interesting way to propagate capabilities (contextual capabilities) and with a compiler design trick for allowing FFI in trusted world but not in untrusted world.
The web site uses "compile-time sandboxing" --- that is just a way to speak to programmers, because I find "capability system" does not speak much to them.
The formal capability model is explain here:
The language and tools are still young. I'll appreciate your feedback to help make it better and more usable for the world.