horkos 0.2.0 - Docs.rs

// ============================================
// Taint Tracking in Horkos
// ============================================
// When you import external resources, they become "Unverified<T>"
// meaning Horkos can't guarantee their security properties.

// EXAMPLE 1: Importing external data
// -----------------------------------
// Imagine you import a bucket reference from another Terraform state
// or from a data source. Horkos marks it as Unverified.

// This would be an external import (simulated):
// import "external/legacy-bucket" as legacyBucket
// legacyBucket has type: Unverified<Bucket>

// You CAN'T do this - it won't compile:
// val myVpc = Network.createVpc("main", 
//     cidr: "10.0.0.0/16", 
//     flowLogs: legacyBucket  // ❌ Error: expected Bucket, found Unverified<Bucket>
// )

// You MUST explicitly acknowledge the risk:
// val myVpc = unsafe("Using legacy bucket - verified secure in ticket SEC-123") {
//     Network.createVpc("main", 
//         cidr: "10.0.0.0/16", 
//         flowLogs: legacyBucket  // ✅ Allowed - risk acknowledged
//     )
// }


// EXAMPLE 2: Security parameters require unsafe
// ----------------------------------------------
// When you weaken a security default, that's also "tainting" the resource

// This WON'T compile - public bucket without justification:
// val publicBucket = S3.createBucket("website", publicAccess: true)  // ❌

// This WILL compile - risk is acknowledged:
val publicBucket = unsafe("Static website assets - no sensitive data") {
    S3.createBucket("website", publicAccess: true)
}

// EXAMPLE 3: Multiple security weaknesses
// ----------------------------------------
// You can weaken multiple parameters in one unsafe block

val devBucket = unsafe("Dev environment - acceptable risk") {
    S3.createBucket("dev-data",
        publicAccess: true,    // Weakened
        encryption: false,     // Weakened  
        versioning: false      // Weakened
    )
}

// EXAMPLE 4: Secure by default - no unsafe needed
// ------------------------------------------------
// When you don't weaken any security, no unsafe is required

val secureBucket = S3.createBucket("production-data",
    tags: { env: "prod", team: "platform" }
)
// Automatically gets:
// - encryption: true
// - versioning: true
// - publicAccess: false
// - logging: true