Deploy Agda to Europe — Ulf Norell 🇸🇪 (Chalmers University of Technology 2007), the Language Where Types Are Proofs, on EU Infrastructure in 2026

In the early 1970s, the Swedish mathematician Per Martin-Löf 🇸🇪 of Stockholm University was working on the foundations of constructive mathematics. He wanted a logical framework in which every mathematical proof was also a computable program, and every program was also a proof. The result — Intuitionistic Type Theory (1972, 1984) — was one of the deepest contributions to logic and computer science of the twentieth century. It established the Curry-Howard correspondence as a precise mathematical discipline: types are propositions, programs are proofs, and the type-checker is the proof-checker.

Three decades later, at Chalmers University of Technology in Gothenburg, Sweden, a PhD student named Ulf Norell 🇸🇪 translated Martin-Löf's theory into a practical programming language. His 2007 doctoral thesis — "Towards a Practical Programming Language Based on Martin-Löf Type Theory" — introduced Agda 2, a dependently typed language in which the compiler verifies mathematical proofs, and in which the difference between a specification and its implementation collapses to zero.

The original Agda (1999) was created by Catarina Coquand 🇸🇪, also at Chalmers, as a proof assistant based on type theory — named after a Swedish folk song ("Agda" is a Swedish woman's name used in a traditional ballad). Catarina Coquand is the wife of Thierry Coquand 🇫🇷 (INRIA, Paris), who co-created the Calculus of Constructions (CoC) that underlies Coq/Rocq (#XX in this series). The two proof assistants — Coq and Agda — share the same theoretical DNA: both implement dependent type theory, both stem from the same European research community, and both arrived at the same destination by different paths.

Ulf Norell's Agda 2 was a redesign from scratch — a clean, practical language with a Unicode-friendly syntax, interactive proof development in Emacs, and a compiler backend targeting Haskell (MAlonzo) and later Erlang and JavaScript. It became the standard tool for type-theoretic research and the textbook proof assistant for Martin-Löf type theory in European and global universities.

What Makes Agda Different: Dependent Types

In most programming languages, types and values inhabit separate universes. A type like List<Int> does not know how many elements it contains. You can write a head function that fails at runtime on an empty list — the type system cannot prevent it.

Dependent types break this separation. In Agda, a type can depend on a value. This enables types that carry precise information about their inhabitants:

-- Vectors with compile-time length
data Vec (A : Set) : ℕ → Set where
  []   : Vec A zero
  _∷_  : ∀ {n} → A → Vec A n → Vec A (suc n)

-- head is ONLY callable on non-empty vectors (length ≥ 1)
head : ∀ {A n} → Vec A (suc n) → A
head (x ∷ _) = x
-- head [] is a TYPE ERROR — impossible to call on empty vector

The type Vec A (suc n) is a list of type A with exactly suc n elements (one or more). The head function is defined to accept only this type — the empty case Vec A zero is excluded by the type signature. This is not a runtime check. It is a compile-time guarantee enforced by the type system. A caller that passes an empty vector to head cannot compile.

This is the key insight of dependent types: specifications that would otherwise be expressed in documentation or tests can be expressed in types, and the compiler verifies them automatically.

Proofs as Programs

The Curry-Howard correspondence means that writing an Agda program is simultaneously writing a proof. Consider the commutativity of addition on natural numbers — a basic fact of arithmetic that requires a proof:

-- Proofs as programs: commutativity of addition
+-comm : ∀ (m n : ℕ) → m + n ≡ n + m
+-comm zero    n = sym (+-identityʳ n)
+-comm (suc m) n = trans (cong suc (+-comm m n)) (sym (+-suc n m))
-- This compiles = proof is correct

The type m + n ≡ n + m is a proposition. The term +-comm is a proof. If it type-checks, the proposition is proven. If it does not type-check, the proof is wrong. There is no separation between "the program compiles" and "the proof is valid."

This has profound consequences for software correctness. You can write an Agda module that implements a sorting algorithm and simultaneously proves that the output is sorted and contains exactly the same elements as the input. The proof is not a comment, not a unit test, not a documentation string — it is the code itself, verified mechanically by the type-checker.

More practically, you can write a parser and prove it is total (never loops), an API handler that proves it handles all input cases, or a cryptographic function that proves it has no buffer overflows. These are not aspirational claims — they are machine-verified theorems embedded in the type signatures.

The Chalmers Lineage

Chalmers University of Technology (Chalmers tekniska högskola) was founded in 1829 in Gothenburg, Sweden — the year William Austin Chalmers, a local merchant, bequeathed funds for a technical school. Sweden joined the European Union in 1995. Gothenburg, Sweden's second-largest city, has been a centre of EU-funded technical research throughout the post-1995 period.

Chalmers has an extraordinary concentration of programming language researchers relevant to this blog series:

Martin-Löf 🇸🇪 (Stockholm University, 1972)
  Intuitionistic Type Theory — the theoretical foundation
  │
  ├─ Catarina Coquand 🇸🇪 (Chalmers, 1999)
  │   Original Agda — first proof assistant at Chalmers
  │
  ├─ Ulf Norell 🇸🇪 (Chalmers, 2007)
  │   Agda 2 — "Towards a Practical Programming Language
  │   Based on Martin-Löf Type Theory" (PhD thesis)
  │   ├─ MAlonzo: Agda → Haskell backend
  │   ├─ agda2hs: Agda → clean Haskell output
  │   └─ Agda → Erlang backend
  │
  ├─ Lennart Augustsson 🇸🇪 (Chalmers, 1987) [#117 LML]
  │   G-machine, Haskell compiler tradition
  │
  ├─ John Hughes 🇸🇪 (Chalmers)
  │   QuickCheck, "Why Functional Programming Matters"
  │
  └─ Philip Wadler 🏴󠁧󠁢󠁳󠁣󠁴󠁷 (University of Edinburgh)
      Programming Language Foundations in Agda (PLFA)
      The standard Agda textbook

The proximity of Agda, LML (#117), and the Haskell tradition at a single Swedish university is not coincidental. Chalmers has been the dominant European site for functional programming and type theory research since the 1980s, supported by Swedish Research Council grants and EU framework programme funding.

The TYPES EU Consortium

The TYPES project — Types for Proofs and Programs — was a Marie Curie Research Training Network funded under the EU Fifth and Sixth Framework Programmes (FP5/FP6), spanning 2000–2008. It brought together the leading European centres for dependent type theory research:

• Chalmers University of Technology 🇸🇪 (Gothenburg) — Agda, proof theory
• TU Munich 🇩🇪 (Technische Universität München) — constructive mathematics, type systems
• Utrecht University 🇳🇱 (Utrecht) — Epigram, type-theoretic programming languages
• INRIA 🇫🇷 (Institut National de Recherche en Informatique) — Coq/Rocq development
• University of Edinburgh 🏴󠁧󠁢󠁳󠁣󠁴󠁷 — Philip Wadler, type theory, PLFA
• University of Nijmegen 🇳🇱 — constructive algebra, formalisation of mathematics
• University of Bologna 🇮🇹 — formal methods, certified compilers

The TYPES consortium produced Agda 2, significant portions of Coq's standard library, the Epigram language (Conor McBride, Edinburgh/Strathclyde), and the theoretical underpinnings of what would become Lean 4. This was EU-funded type theory, at scale, delivered as usable software.

The direct successor of TYPES — the COST Action EUTypes (CA15123, 2016–2020) — continued this work, again with Chalmers, INRIA, Utrecht, Munich, Edinburgh, and Bologna as core nodes.

Philip Wadler and PLFA

Philip Wadler 🏴󠁧󠁢󠁳󠁣󠁴󠁷 (University of Edinburgh) is one of the most influential computer scientists in Europe — Fellow of the Royal Society (FRS), co-designer of Haskell's type class system (with Stephen Blott, POPL 1989), author of "Theorems for Free!" (1989) and "Monads for Functional Programming" (1995). He also wrote what became the standard textbook for learning Agda.

Programming Language Foundations in Agda (PLFA) — co-authored with Wen Kokke and Jeremy Siek — teaches the theory of programming languages using Agda as both the subject language and the proof assistant. Every theorem in the book is a machine-verified Agda program. The book covers lambda calculus, operational semantics, type systems, and progress-and-preservation theorems — all formalised in Agda and type-checked.

PLFA is used in graduate courses at Edinburgh, Gothenburg, Utrecht, TU Munich, and universities worldwide. It exemplifies the Agda philosophy: learning formal semantics by writing proofs that the computer checks.

Agda's Compiler Backends

Agda is not purely a proof assistant. It is a dependently typed programming language that compiles to executable code. The primary backend has always been MAlonzo — Agda's Haskell compilation pipeline:

FROM haskell:9.6-slim AS agda-builder
RUN cabal update && cabal install agda
COPY . /app
WORKDIR /app
# Agda compiles to Haskell via MAlonzo, then to native binary
RUN agda --compile Main.agda

FROM debian:bookworm-slim
RUN apt-get update && apt-get install -y libgmp10 ca-certificates && rm -rf /var/lib/apt/lists/*
COPY --from=agda-builder /app/Main /usr/local/bin/app
EXPOSE 8080
CMD ["/usr/local/bin/app"]

The --compile flag invokes MAlonzo: Agda translates the source to Haskell, then GHC compiles it to a native binary. The result is a standard Linux binary that runs at full native speed — dependent types impose zero runtime overhead. All the proof-checking happens at compile time.

For cleaner Haskell output (readable and interoperable with Haskell libraries), the agda2hs tool translates a subset of Agda to idiomatic Haskell:

-- agda2hs: write in Agda, output clean Haskell
{-# OPTIONS --erasure #-}
module Sort where

open import Haskell.Prelude

sort : ∀ {a : Set} → ⦃ Ord a ⦄ → List a → List a
sort []       = []
sort (x ∷ xs) = insertSorted x (sort xs)
  where
    insertSorted : a → List a → List a
    insertSorted y []       = y ∷ []
    insertSorted y (z ∷ zs) =
      if y <= z then y ∷ z ∷ zs else z ∷ insertSorted y zs

agda2hs produces Haskell that a Haskell developer can read, review, and deploy — without needing to understand Agda's syntax. The Agda source carries the formal proofs; the Haskell output carries the runtime logic.

Agda also supports an Erlang backend (useful for concurrent formally verified systems) and a JavaScript backend (for browser-side formal verification, less commonly used in production).

# sota.yaml — EU deployment of Agda-compiled binary
service:
  name: agda-verified-api
  runtime: docker
  region: eu-central-1   # Frankfurt, Germany
  resources:
    memory: 256MB
    cpu: 0.5
database:
  engine: postgresql17
  region: eu-central-1

EU Regulatory Angles

Agda's dependent types have direct relevance to Europe's regulatory framework for software quality, data protection, and AI safety.

GDPR Article 25 — Privacy by Design: Dependent types can encode data handling contracts directly in type signatures. A function that processes personal data can require — at the type level — a proof that consent has been obtained:

-- Proof of consent required at the type level
data ConsentProof : UserId → Purpose → Set where
  HasConsent : (u : UserId) → (p : Purpose) → ConsentGranted u p → ConsentProof u p

processPersonalData : ∀ {u p} → ConsentProof u p → PersonalData u → ProcessedData
processPersonalData _ data = -- implementation

This function is literally impossible to call without a ConsentProof term — a compile-time proof that consent exists for this user and purpose. There is no way to accidentally process personal data without consent; the code cannot compile. This is GDPR Article 25 (Privacy-by-Design) implemented as a type-level constraint.

EU AI Act Article 9 — Risk Management for High-Risk AI: The EU AI Act requires documented risk management systems for high-risk AI applications (medical devices, credit scoring, critical infrastructure). Agda proofs can constitute formal verification evidence. An Agda module that implements an AI decision algorithm and simultaneously proves its fairness properties (e.g., equal error rates across demographic groups) provides Article 9 documentation that is machine-checkable, reproducible, and tamper-evident.

-- EU AI Act: prove decision algorithm satisfies fairness constraint
FairnessConstraint : DecisionAlgorithm → Set
FairnessConstraint alg =
  ∀ (g1 g2 : DemographicGroup) (threshold : Score) →
    falsePositiveRate alg g1 threshold ≡ falsePositiveRate alg g2 threshold

-- Proof that our algorithm is fair — this IS the Article 9 risk documentation
algorithmIsFair : FairnessConstraint ourDecisionAlgorithm
algorithmIsFair = -- machine-verified proof

If this type-checks, the fairness property is proven for all possible inputs — not tested on a sample, not asserted in documentation, but mathematically verified.

NIS2 Directive — Security for Critical Infrastructure: NIS2 requires that operators of essential services (energy, transport, finance, healthcare) implement appropriate cybersecurity measures. Formally verified software provides provable security properties. An Agda-verified cryptographic library can prove the absence of buffer overflows, integer overflow vulnerabilities, and timing side channels — at the type level, for all inputs. This is not a penetration test; it is a mathematical proof.

The NIS2 Directive (transposed into national law by EU Member States by October 2024) explicitly encourages the use of state-of-the-art security practices. Formal verification via dependent types is exactly that.

The Agda to Idris Pipeline

One of the most productive consequences of Agda was Idris — created by Edwin Brady 🏴󠁧󠁢󠁳󠁣󠁴󠁷 at the University of St Andrews in Scotland, and later developed at the University of Edinburgh. Brady's goal was to take Agda's dependent type system and make it practical for everyday software development — not just formal verification of algorithms, but real-world application programming.

Idris 1 (2011) and Idris 2 (2020, using Quantitative Type Theory from McBride and Atkey at Strathclyde) can be seen as the "production-friendly" fork of Agda's type theory. Agda remains the tool for deep formal verification; Idris is the tool when you want dependent types in a language that feels more like Haskell.

The intellectual lineage: Martin-Löf (Stockholm) → Catarina Coquand (Chalmers, Agda 1) → Ulf Norell (Chalmers, Agda 2) → Edwin Brady (St Andrews/Edinburgh, Idris). All European, all publicly-funded research institutions.

Lean 4 (Microsoft Research, but foundationally rooted in Thierry Coquand's Calculus of Constructions and the TYPES EU research programme) is another descendant. The Lean mathlib library — a formal mathematics library containing thousands of proven theorems — directly benefits from the EU-funded dependent type theory research that produced Agda.

Interactive Proof Development

One of Agda's distinctive features is interactive proof development via the Agda mode for Emacs or the Language Server Protocol (LSP) for VS Code. The programmer writes a type signature, places a "hole" (?) in the implementation, and asks Agda to tell them:

• What type is required in the hole
• What variables are in scope with their types
• Whether the current partial definition type-checks

This interactive loop — type-directed programming — is a qualitatively different way of writing software. The type system becomes a dialogue partner, not a post-hoc validator. When you cannot figure out how to complete a proof, Agda can suggest candidate terms from the current context (Agsy auto-prover) or apply reflection to generate proofs automatically.

The result is that formally verified programs in Agda are often shorter than their informally verified equivalents in mainstream languages, because the type system handles much of the reasoning that would otherwise require defensive coding, null checks, and error handling boilerplate.

Nils Anders Danielsson and the Standard Library

Nils Anders Danielsson 🇸🇪 (Chalmers) is the primary maintainer of the Agda Standard Library — a comprehensive, machine-verified library of mathematical structures, data types, and algorithms. The standard library covers:

• Algebra: groups, rings, fields, lattices — all with machine-verified axioms
• Data: lists, vectors, trees, finite sets, maps — with verified properties
• Relation: equivalence, order, decidability
• Category theory: functors, natural transformations, monads

Every function in the standard library comes with a proof of its correctness. When you use sort from the standard library, you are using a sort function that has been proven to be correct, total, and output-sorted. This is not the case for the standard library of any mainstream language.

The standard library is developed openly on GitHub, with contributions from EU researchers at Chalmers, Utrecht, Edinburgh, and INRIA.

Deploy Agda to sota.io

The full Agda compilation pipeline — from .agda source to running binary — works with standard Docker tooling:

FROM haskell:9.6-slim AS agda-builder
# Install Agda from Hackage
RUN cabal update && cabal install agda

# For agda2hs workflow (clean Haskell output)
RUN cabal install agda2hs

COPY . /app
WORKDIR /app

# Type-check and compile via MAlonzo
RUN agda --compile Main.agda

FROM debian:bookworm-slim
RUN apt-get update && apt-get install -y libgmp10 libffi8 ca-certificates && rm -rf /var/lib/apt/lists/*
COPY --from=agda-builder /app/Main /usr/local/bin/app
EXPOSE 8080
CMD ["/usr/local/bin/app"]

For the agda2hs workflow — write in Agda, deploy as Haskell:

FROM haskell:9.6-slim AS build
RUN cabal update && cabal install agda agda2hs

COPY agda-src/ /agda-src
WORKDIR /agda-src
# Translate Agda to idiomatic Haskell
RUN agda2hs Main.agda -o /haskell-out

WORKDIR /haskell-out
RUN cabal build

FROM debian:bookworm-slim
RUN apt-get update && apt-get install -y libgmp10 ca-certificates && rm -rf /var/lib/apt/lists/*
COPY --from=build /haskell-out/dist-newstyle/**/app /usr/local/bin/app
EXPOSE 8080
CMD ["/usr/local/bin/app"]

# sota.yaml — EU deployment
service:
  name: agda-api
  runtime: docker
  region: eu-central-1   # Frankfurt, Germany
  resources:
    memory: 512MB
    cpu: 1.0
database:
  engine: postgresql17
  region: eu-central-1

# Deploy a formally verified Agda application to sota.io
sota deploy --region eu-central-1

# With managed PostgreSQL:
sota deploy --region eu-central-1 --with-postgres

# Check deployment:
sota logs --service agda-api --tail

See Also

• Deploy LML to Europe — Lennart Augustsson 🇸🇪 (Chalmers 1987). Also from Chalmers; the same institution that produced Agda. LML's G-machine influenced Haskell's compilation model, which Agda uses as its primary backend.
• Deploy Rocq/Coq to Europe — Thierry Coquand 🇫🇷 (INRIA 1985). Original Agda's author Catarina Coquand is his wife — Agda and Coq share the same theoretical roots in the Calculus of Constructions and Martin-Löf type theory.
• Deploy Idris to Europe — Edwin Brady 🏴󠁧󠁢󠁳󠁣󠁴󠁷 (University of St Andrews). Agda's practical successor: dependent types designed for real-world application programming rather than pure proof development.
• Deploy Lean 4 to Europe — Lean 4 builds on the same dependent type theory tradition. The Lean mathlib contains thousands of theorems proven in the same tradition as Agda's standard library.
• Deploy Gofer to Europe — Mark Jones 🇬🇧 (Oxford 1993). Agda and Gofer share the Haskell/Chalmers ecosystem: Agda compiles to Haskell, and Chalmers is where both Agda and the Haskell tradition (via John Hughes and LML) were developed.

Why sota.io for Agda Deployments

sota.io is the EU-native PaaS for developers who need European infrastructure — not as an afterthought, but as a technical requirement.

For Agda specifically:

• MAlonzo pipeline supported — Agda compiles to Haskell, Haskell compiles to binary, binary runs on Debian
• Managed PostgreSQL 17 included — works with Haskell's postgresql-simple, hasql, or persistent from the agda2hs output
• No cold start penalty (unlike serverless) — critical for applications where correctness is verified at compile time, not runtime
• EU data residency: Frankfurt region, no Schrems II exposure
• GDPR-compliant infrastructure matching Agda's type-level GDPR patterns

EU infrastructure as a technical guarantee:

• Data stays in Germany — no US CLOUD Act jurisdiction
• NIS2-compatible (ISO 27001 aligned)
• EU AI Act infrastructure for formally verified AI pipelines
• TYPES EU research legacy: the same EU institutions that built Agda define the regulatory environment for its use

The dependent type system Ulf Norell built at Chalmers in 2007 — grounded in Per Martin-Löf's 1972 intuitionistic type theory — represents the most principled approach to software correctness ever made practical. sota.io provides the EU infrastructure to deploy it, in the same European jurisdiction where it was created.

# Deploy a GHC-compiled Agda application to sota.io
sota deploy --region eu-central-1

# With database:
sota deploy --region eu-central-1 --with-postgres

# Check deployment:
sota logs --service agda-api --tail