<div align="center">
<img src="web/public/logo.svg" width="64" height="64" alt="Horkos" />
# Horkos
**If it's insecure, it won't compile.**
[](https://crates.io/crates/horkos)
[](https://github.com/aimable100/horkos/actions)
[](#license)
A type-safe language for Terraform where insecure code won't compile.
[Try it Online](https://horkos.cloud) · [Documentation](https://horkos.cloud/#/docs) · [Changelog](docs/CHANGELOG.md) · [Twitter](https://twitter.com/horkosLang)
</div>
---
## Why Horkos?
Terraform lets you build anything. Including mistakes.
| Security | Opt-in | **Enforced** |
| Errors caught | CI/runtime | **Compile time** |
| AI-generated code | Compiles if insecure | **Fails until secure** |
| Audit trail | Comments (maybe) | **`unsafe` blocks** |
---
## How It Works
```horkos
// One line. Secure by default.
val bucket = S3.createBucket("data")
```
Compiles to 5 Terraform resources: bucket, versioning, encryption, public access block, logging.
```horkos
// Weakening security? Explain yourself.
val public = unsafe("Static website - ticket #402") {
S3.createBucket("www", publicAccess: true)
}
```
**If it compiles, it's secure.**
---
## Get Started
```bash
# Install
cargo install horkos
# Write
echo 'val bucket = S3.createBucket("data")' > main.hk
# Compile
horkos compile
```
Or try it in your browser at [horkos.cloud](https://horkos.cloud).
<details>
<summary><strong>Other install methods</strong></summary>
**Homebrew**
```bash
brew install aimable100/tap/horkos
```
**npm**
```bash
npm install -g horkos
```
**Docker**
```bash
docker run --rm -v $(pwd):/workspace ghcr.io/aimable100/horkos compile
```
**Binary**
Download from [GitHub Releases](https://github.com/aimable100/horkos/releases).
**Verify Downloads**
All releases include checksums and Sigstore signatures:
```bash
# Verify checksum
sha256sum -c checksums-v0.2.0.txt
# Verify signature (requires cosign)
cosign verify-blob --signature horkos-linux-x64.tar.gz.sig \
--certificate horkos-linux-x64.tar.gz.pem \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp 'github.com/aimable100/horkos' \
horkos-linux-x64.tar.gz
```
</details>
---
## What's Supported
**Resources:** S3, VPC, Subnets, Security Groups, Internet Gateway, CloudWatch, RDS
**Language:**
- Type-safe resource creation
- `unsafe` blocks with mandatory justification
- Taint tracking (`Unverified<T>`) for imported Terraform
- Conditionals, list methods, string methods
- Compile-time `assert()`
**Terraform:** `>= 1.5.0` with AWS Provider `>= 5.0, < 6.0`
See [ROADMAP](docs/ROADMAP.md) for planned features.
---
## Documentation
- [User Guide](docs/GUIDE.md) - Language reference
- [Architecture](docs/ARCHITECTURE.md) - Compiler internals
- [Contributing](docs/DEVELOPMENT.md) - Development setup
---
## Security
Report vulnerabilities to security@horkos.cloud. See [SECURITY.md](SECURITY.md).
## License
MIT OR Apache-2.0
---
<div align="center">
*In Greek mythology, Horkos punished oath-breakers. Here, your infrastructure declarations are oaths.*
</div>