Build systems, not software.
From idea to production. Describe it. Approve it. Compile it. Ship it.
Official homepage: carrierlang.com
Carrier and CarrierLang are trademarks (TM) of Nikolai Manek.
Licensed under the Apache License 2.0. Copyright 2026 Nikolai Manek.
Carrier is a standalone compiled language for API services and backend business logic.
Carrier developers write .carrier files. The compiler lowers them through lexer, parser,
AST, semantic analysis, IR, Rust generation, Cargo, and finally to a native service binary.
Carrier is intentionally narrow:
- built for CRUD-heavy APIs, Postgres-backed services, and workflow-aware backend systems
- explicit about auth, policies, transactions, jobs, events, schedules, and external clients
- compiler-backed and structured enough for humans and AI code generators to stay consistent
- honest about the supported surface instead of hiding behavior behind framework magic
Carrier is not:
- a Rust framework
- a macro wrapper
- a general-purpose scripting language
What Compiles Today
Implemented today:
service,runtime,auth jwt,import,enum,type,model,crud,fn,action,policy,route,client,llm client,rag,workflow,event,job,schedule,stream,subscription,watch,sla,test,invariant, andui- arrays, optionals, enums,
Time,Date,UUID,Decimal, validation attributes, and JSON helpers - path params, query blocks, typed input bodies, OpenAPI generation, and docs UI
- CRUD with filters, pagination, sorting, search, soft delete, and restore
- batch import loops plus model bulk insert/upsert helpers
- transactions, row locking, optimistic
@version, and route idempotency - raw SQL helpers, DB function helpers, and typed external JSON clients
- policy/RLS generation with tenant and role session context
- cache/Redis helpers, jobs, schedules, events, workflows, realtime streams, and audit recording
- blob/file helpers, image helpers, PDF helpers, locale/address/phone helpers, and healthcare/FHIR helpers
- LLM clients with typed tool schemas, structured outputs, tenant budgets, and realtime streams
- scenario tests, property tests, bounded invariant verification, and generated API tests
- runtime depth guards, panic capture, evidence bundles, and the in-process Carrier Flight Recorder
- manifest generation plus migration generation and application commands
Still intentionally constrained:
- imports define the loaded source graph from
src/main.carrierwhen present, with root-file fallback for older layouts - migration diffing is structural and explicit, with conservative table and column rename detection
- hardening can either prepare local Schemathesis/oha/curl bombardment scripts or run a bounded
live probe harness against a generated child service with
carrier harden --run, including an owned disposable Postgres database withcarrier harden --run --sandbox-db - ops routes such as
/ops/runtimeand/ops/flightare generated as operational surfaces and should be protected by deployment policy until Carrier grows first-class ops-route auth configuration
API Surface Depth
Carrier is not just a CRUD generator. A generated service can include several API layers at once:
- Public and authenticated REST routes with typed path params, query structs, request bodies, response types, cache policy, idempotency keys, and OpenAPI metadata.
- Generated CRUD APIs with tenant-aware filters, list/search pagination, soft delete, restore, sorting, relation metadata, bulk insert/upsert, and optimistic write protection.
- Business actions that can be called from routes, jobs, event handlers, workflows, tests, and LLM tool dispatch while carrying the same auth, tenant, trace, and transaction context.
- Durable workflows, jobs, schedules, events, and
onhandlers for async and post-commit work. - Realtime streams, subscriptions, watches, and LLM streaming endpoints with transport negotiation.
- External clients for typed JSON APIs, generated federation endpoints, MCP/tool metadata, React Native SDK metadata, and manifest-driven downstream tooling.
- Data helpers for Postgres, raw SQL, DB functions, cache/Redis, audit, blobs, images, PDFs, healthcare payloads, vector similarity, and hybrid search.
- Runtime and ops APIs including
/health,/ready,/openapi.json,/docs,/ops/runtime,/ops/flight, blob download routes, and worker/runtime entrypoints.
The important product shape is that these surfaces are compiler-known. Carrier emits a native
binary, OpenAPI, .carrier/manifest.json, migrations, generated tests, verification reports, and
hardening artifacts from the same source graph.
Carrier Tank Hardening
Carrier Tank is the hardening track for making generated APIs survive hostile inputs and recursive runtime behavior.
service.runtimesupports explicit limits for request/action/route/workflow/expression depth, JSON body depth, schema expansion depth, OpenAPI ref depth, body size, artifact size, timeouts, panic policy, evidence bundle emission, and generated ops-route exposure.- Depth failures return structured
CARRIER_DEPTH_LIMIT_EXCEEDEDerrors withlimit,location, andhintmetadata instead of panicking or overflowing the stack. - Runtime panics are caught as
CARRIER_RUNTIME_PANICwhere the execution span can recover safely. - Evidence bundles capture request id, route/action/workflow context, tenant/auth shape, input shape, stack hash, panic/error metadata, source locations where available, suggested tests, and recent Flight Recorder events.
- The Flight Recorder keeps bounded in-process probe events and exposes snapshots through
/ops/flight?request_id=<id>whenruntime.ops_routesis notoff; the default ops policy islocal_only. carrier manifest auditreports manifest/OpenAPI/generated-Rust size, largest manifest sections, budget status, and suspicious secret-like literals.carrier tuneinspects local CPU/memory/process/open-file limits, generated API shape, artifact sizes, and optional Postgres reachability, then writes.carrier/tune.jsonand a copy-ready.carrier/tune.runtime.carriersnippet with recommendedservice.runtimeandDATABASE_MAX_CONNECTIONSvalues.carrier hardenruns compile checks, artifact budget checks, production-profile invariant verification, generated tests, static schema/ref depth checks, and writes deterministic smoke/fuzz/load scripts.carrier harden --runbuilds and starts the generated service on loopback when the port is env-driven, then runs health/readiness/OpenAPI/ops/auth-boundary/malformed-body/deep-body/ oversized-body/concurrency probes and records them in.carrier/harden/report.json.carrier harden --run --sandbox-dbcreates a uniquecarrier_harden_*Postgres database from the configured/defaultDATABASE_URL, points only the generated child service at it, runs live probes, and drops that owned database after the child exits.- Live hardening also probes tenant-scoped protected CRUD when a local JWT config is available: tenant A create/read/list control, tenant B list/read/update/delete isolation, missing tenant claims, invalid JWTs, wrong roles, and restore isolation for soft-deleted records.
carrier harden --chaosadds destructive payload fixtures for malformed JSON, deep bodies, weird Unicode, missing tenant claims, and overlap/concurrency probes.
Authoring Tiers
Carrier works best when you choose the smallest construct that matches the job.
Tier 1: Minimal / First-Pass-Safe
Use this for quick starts and AI-generated first drafts:
- one
service - optional
auth jwt type,route, andclientmodelpluscrud- simple
fnhelpers - single-file projects or very small multi-file projects
Start here with examples/hello-carrier.
Tier 2: Recommended Production Pattern
Use this for most business services:
- multi-file layout under
src/ model,type,crud,action,route- idempotent edge routes where retries matter
- transactions for business writes
- policy declarations for role and tenant rules
- structured
logs.*metadata
Start here with examples/inventory-control.
Tier 3: Advanced Runtime / Platform Pattern
Use this when the service needs more operational machinery:
- cache/Redis
- jobs and schedules
- events and audit trails
- raw SQL / DB function escape hatches
- richer policy/RLS use
- typed external integrations
Start here with api and use examples/booking-service as the concurrency/workflow supplement.
Tier 4: Tank / Chaos Pattern
Use this when you want to exercise the runtime under deliberately hostile API shapes:
- deeply nested models and recursive-looking relationships
- public and protected routes
- CRUD, restore, soft delete, search, list, pagination, and overlap checks
- malformed inputs, large payloads, weird Unicode, missing tenant claims, and invalid JWT paths
- actions calling actions, routes calling clients, workflow hooks, file/blob paths, and concurrency probes
Start here with examples/carrier-chaos-clinic.
Learning Ladder
- examples/hello-carrier Minimal single-file starter. Shows auth, typed request/response records, and simple routes.
- examples/inventory-control Recommended multi-file production shape. Shows imports, sorted file layout, CRUD, actions, idempotent admin routes, and thin-route patterns.
- api Advanced doctor-directory showcase. Shows policy/RLS, row locking, cache, jobs, events, schedules, raw SQL, DB function helpers, and external clients.
- examples/booking-service
Supplemental scheduling and concurrency example. Shows tenant-aware models,
@version, jobs, schedules, events, idempotent routes, and action-driven locking flows. - examples/carrier-chaos-clinic
Tank hardening testbed. Shows deliberately broad API shapes and
carrier harden --chaosfixtures for hostile payloads and runtime boundary probes.
Repository Layout
api/
benchmarks/
doctor-directory-bench/
crates/
carrier-ast/
carrier-lexer/
carrier-parser/
carrier-semantic/
carrier-ir/
carrier-codegen-rust/
carrier-runtime/
carrierc/
docs/
examples/
carrier-chaos-clinic/
hello-carrier/
inventory-control/
booking-service/
Install
Install the Carrier CLI from the public source repo:
curl -fsSL https://raw.githubusercontent.com/nikoma/carrier/main/install_carrier.sh | shThe installer builds carrierc with cargo install and writes the carrier executable to
~/.local/bin by default. It requires Git plus Rust/Cargo 1.85 or newer.
Install the companion MCP server too:
curl -fsSL https://raw.githubusercontent.com/nikoma/carrier/main/install_carrier.sh | sh -s -- --with-mcpInstall from a checkout or choose a different prefix/ref:
./install_carrier.sh --prefix "$HOME/.local" --branch main
./install_carrier.sh --with-mcpUse --tag or --rev when you want to pin installation to a release tag or commit.
CI And Build Caches
The GitHub Actions workflow runs formatting, cargo check --workspace, and workspace package tests
on Linux and macOS. The default test step excludes the carrierc integration suite because those
tests spawn many nested generated-service Cargo builds and need a separate resource-controlled job.
The workflow uses repository-scoped Actions caches for Cargo registry data, Git dependencies, and
target/ build output, keyed by OS plus Cargo.lock/Cargo.toml changes.
Commands
Build and test the compiler workspace:
cargo test
cargo run -p carrierc -- --helpCheck and build the minimal starter:
cd examples/hello-carrier
carrier check
carrier buildWrite project-local AI instructions for Codex and Claude:
cd /path/to/your/carrier-project
carrier agent-docsCheck and build the recommended multi-file example:
cd examples/inventory-control carrier check carrier build carrier openapi > openapi.json
Check and build the advanced showcase:
cd api carrier check carrier build carrier migrate generate carrier openapi > openapi.json
Check and build the workflow supplement:
cd examples/booking-service
carrier check
carrier build
carrier migrate generateRun the Tank hardening harness:
cd examples/carrier-chaos-clinic
carrier harden --chaos --run --sandbox-dbAsk Carrier for local runtime sizing advice:
carrier tune --profile production
Generated hardening artifacts are written under .carrier/harden/. Project-local
.carrier/manifest.json files are generated artifacts unless the project is one of the checked-in
fixture projects that intentionally pins manifest/OpenAPI compatibility output.
Documentation
Core references:
- Language Reference
- Stability Policy
- CLI Reference
- Runtime Errors
- Observability
- AI Authoring Guide
- Architecture
- MCP Integration
- Chat Mount Protocol
- React Native SDK
Task-focused guides:
- Construct Guide
- Multi-File Projects
- Workflow Patterns
- Batch Imports
- Healthcare FHIR Helpers
- PDF Generation
- Security Notes
- Performance Reference
- Migrations And Safety
Why Carrier Is AI-Friendly
Carrier’s advantage is not maximal language power. Its advantage is that it narrows backend choices into a compiler-checked set of patterns:
- explicit models, routes, actions, policies, jobs, and clients
- generated CRUD instead of hand-written repetition
- real transactions and escape hatches when generated CRUD is not enough
- machine-readable manifest, OpenAPI, verification, evidence, and hardening output for tooling
- predictable project structure and multi-file guidance
- project-local
AGENTS.mdandCLAUDE.mdscaffolding viacarrier agent-docs
That makes Carrier easier to generate correctly, review, and keep consistent over time.
























