Horkos

Infrastructure code that won't let you deploy insecure configurations

A type-safe language for cloud infrastructure that compiles to Terraform. Security is enforced at compile time—insecure code literally cannot compile.

The Problem

Infrastructure-as-code has a security gap:

• Secure defaults are opt-in — Easy to forget encryption, logging, or access controls
• Mistakes compile fine — Public S3 buckets and open security groups are valid Terraform
• Reviews happen too late — Security issues caught in CI or production, not at write time
• No audit trail — When security is weakened, there's no record of why
• AI amplifies the problem — Generated code prioritizes functionality over security, often accepted without scrutiny

The Solution

Horkos flips the model: secure by default, exceptions require justification.

// Secure by default
val bucket = S3.createBucket("my-data")
// ✓ Encrypted, versioned, public access blocked, logging enabled

// Weakening security requires explicit justification
val public = unsafe("Static website - approved in ticket #402") {
    S3.createBucket("website", publicAccess: true)
}

The unsafe block creates an auditable paper trail—every security exception is documented in the code itself.

Philosophy

The friction is the feature.

Most developers don't create insecure infrastructure on purpose—they're just busy, moving fast, or unaware of the implications. Horkos helps by making the secure path the easy path.

Like Rust's unsafe keyword, this creates a psychological barrier that forces you to pause and think. And in the AI era, it matters even more: when Copilot generates 50 lines of infrastructure, the risky parts literally won't compile without explicit acknowledgment.

Installation

Homebrew (macOS/Linux)

brew install aimable100/tap/horkos

npm (Node.js)

npm install -g horkos

Cargo (Rust)

cargo install horkos

Docker

docker run --rm -v $(pwd):/workspace ghcr.io/aimable100/horkos compile

Binary Download

Download from GitHub Releases:

Verify Downloads (Optional)

Binaries are signed for supply chain security:

# Install cosign: brew install cosign (or see sigstore.dev)
cosign verify-blob \
  --signature horkos-vX.Y.Z-linux-x64.tar.gz.sig \
  --certificate horkos-vX.Y.Z-linux-x64.tar.gz.pem \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp "github.com/aimable100/horkos" \
  horkos-vX.Y.Z-linux-x64.tar.gz

Quick Start

# Create a new project
horkos init my-infra
cd my-infra

# Compile to Terraform
horkos compile

# Apply with Terraform
cd terraform && terraform apply

Why Horkos?

Current Status

v0.1.6 - Alpha

✅ S3, VPC, Subnets, Security Groups, CloudWatch
✅ Taint tracking with Unverified<T>
✅ unsafe blocks with mandatory justifications
✅ Conditionals (if/then/else)
✅ List methods (.map(), .filter(), .length, .any(), .all(), .concat())
✅ String methods (.concat(), .toUpper, .toLower, .trim, etc.)
✅ Compile-time assert() with collected failure reporting
✅ Multi-file projects

See ROADMAP for planned features.

Supported Versions

Horkos generates Terraform HCL compatible with:

Generated main.tf includes version constraints:

terraform {
  required_version = ">= 1.5.0"
  
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 5.0, < 6.0"
    }
  }
}

All 30 version combinations are tested in CI.

Documentation

• User Guide - Language reference and examples
• Development Guide - Contributing, testing, adding resources
• Architecture - Compiler internals
• Changelog - What's new

License

MIT OR Apache-2.0

Origin

In Greek mythology, Horkos punished oath-breakers swiftly. Here, your infrastructure declarations are oaths—break them and the compiler stops you.