Vision
Transform ThothCTL from an IaC management CLI into an IaC-native Framework-Defined Infrastructure platform where business intent and application conventions automatically produce production-ready infrastructure code — without requiring developers to write Terraform manually.
graph TB
INTENT["💡 Developer Intent<br/><i>'I need a microservices platform for my Python API'</i>"]
subgraph FdI["⚙️ ThothCTL FdI Engine"]
SPACE["🌐 Space Conventions"]
COMP["🧩 Composition Engine"]
AI["🤖 AI Inference<br/><i>from app code</i>"]
SPACE --> GEN
COMP --> GEN
AI --> GEN
GEN["📦 Generated Output<br/>Terraform/Tofu/CDK + CI/CD + Security + Cost"]
end
INTENT --> SPACE
INTENT --> COMP
INTENT --> AI
Current State (v0.15.0) — IaC Maturity Level 4+
| Capability |
Status |
| Template engine |
✅ Shipped |
| Space management (conventions, defaults) |
✅ Shipped |
| Security scanning (Checkov, KICS, Trivy) |
✅ Shipped |
| AI multi-agent review & fix generation |
✅ Shipped |
| Drift detection |
✅ Shipped |
| Cost analysis |
✅ Shipped |
| Inventory & dependency management |
✅ Shipped |
| OpenTelemetry observability |
✅ Shipped |
| MCP integration |
✅ Shipped |
Phase 1: Stack Composition Engine (v0.16 – v0.17)
Goal: Declaratively define infrastructure stacks from reusable building blocks.
Deliverables
| Feature |
Description |
| Stack manifest format |
TOML/YAML manifest declaring desired components (VPC, EKS, RDS, etc.) |
| Component catalog |
Library of composable infrastructure patterns per cloud provider |
thothctl generate stack |
Generates full IaC project from a stack manifest |
| Space-aware generation |
Stack inherits provider versions, backend config, and orchestration from active Space |
| Dependency resolution |
Automatic wiring between components (VPC → subnets → security groups → EKS) |
| Validation |
Pre-generation checks for compatibility, quotas, and compliance rules |
Example
# stack.thoth.yaml
name: payments-platform
cloud: aws
region: us-east-1
components:
- type: networking/vpc
cidr: "10.0.0.0/16"
availability_zones: 3
- type: compute/eks
version: "1.30"
node_groups:
- name: workers
instance_type: m6i.large
min_size: 3
max_size: 10
- type: database/rds-postgresql
version: "16"
instance_class: db.r6g.large
multi_az: true
- type: observability/cloudwatch
dashboards: true
alarms: true
thothctl generate stack --manifest stack.thoth.yaml --space production
# → outputs a complete Terraform/Terragrunt project
Phase 2: App-to-Infra Inference (v0.18 – v0.19)
Goal: Scan application source code and automatically infer the required infrastructure.
Deliverables
| Feature |
Description |
| App scanner |
Detects runtime, dependencies, ports, storage needs from app code |
| Inference rules |
Maps app patterns to infrastructure components (Dockerfile → ECS/EKS, requirements.txt → Lambda layer, etc.) |
thothctl generate stack --from-app ./src |
Generates stack manifest from application analysis |
| AI-assisted refinement |
AI agent reviews inferred stack and suggests optimizations |
| Interactive confirmation |
Developer reviews/edits inferred manifest before generation |
Inference Examples
| App Signal |
Inferred Infrastructure |
Dockerfile + EXPOSE 8080 |
ECS Fargate or EKS deployment + ALB |
requirements.txt + handler.py |
Lambda function + API Gateway |
docker-compose.yml with Redis |
ElastiCache cluster |
| PostgreSQL connection string in env |
RDS PostgreSQL |
| S3 SDK usage in code |
S3 bucket + IAM policy |
.github/workflows/ present |
CI/CD pipeline scaffolding |
Workflow
# Scan app and generate stack manifest
thothctl generate stack --from-app ./my-api --space production
# Output: inferred stack.thoth.yaml
# Developer reviews and approves
# Generate the IaC
thothctl generate stack --manifest stack.thoth.yaml
Phase 3: Convention-Driven Automation (v0.20 – v0.21)
Goal: The Space becomes a full "framework" that encodes organizational standards — infra generation is fully governed by conventions.
Deliverables
| Feature |
Description |
| Space policies |
Define mandatory components per stack type (e.g., all prod stacks must have WAF, CloudTrail, backup) |
| Naming conventions |
Auto-apply resource naming from Space rules (env, team, project) |
| Compliance templates |
Auto-inject compliance controls based on Space's regulatory profile (SOC2, HIPAA, PCI) |
| Cost guardrails |
Space-level budgets that reject stacks exceeding cost thresholds |
thothctl space policy add |
CLI to manage Space-level policies |
| Inheritance chain |
Space → Stack Type → Component (cascading defaults) |
Space Policy Example
# ~/.thothcf/spaces/production/policies.toml
[mandatory_components]
networking = ["waf", "vpc_flow_logs"]
compute = ["auto_scaling", "container_insights"]
data = ["encryption_at_rest", "automated_backups", "multi_az"]
security = ["cloudtrail", "guardduty", "security_hub"]
[naming]
pattern = "{space}-{project}-{component}-{env}"
[cost]
max_monthly_estimate = 50000 # USD
require_approval_above = 10000
[compliance]
frameworks = ["soc2", "hipaa"]
Phase 4: Continuous Reconciliation (v0.22+)
Goal: Move from one-time generation to continuous alignment between intent and infrastructure state.
Deliverables
| Feature |
Description |
| Intent drift detection |
Compare live infra against the stack manifest (not just IaC state) |
| Auto-regeneration |
When Space policies change, regenerate affected stacks and create PRs |
| Upgrade propagation |
When a component pattern is updated in the catalog, propagate to all stacks using it |
| Feedback loop |
Production metrics (cost spikes, incidents) feed back into the composition engine |
thothctl reconcile |
CLI command to align all stacks with current Space conventions |
Architecture
graph TB
SM["📋 Stack Manifest"]
LC["☁️ Live Cloud Resources"]
PM["📊 Production Metrics"]
SM --> RE
LC --> RE
PM --> RE
subgraph RE["🔄 Reconciliation Engine"]
ID["Intent Drift"]
SD["State Drift"]
CF["Cost/Perf Feedback"]
end
RE --> PR["📝 Auto-generated PRs<br/><i>IaC updates aligned to intent</i>"]
FdI Maturity Progression
| Phase |
ThothCTL becomes... |
Industry Equivalent |
| Current |
IaC lifecycle manager |
Terraform Cloud + Checkov |
| Phase 1 |
Declarative stack composer |
Terramate / Pulumi Crosswalk |
| Phase 2 |
Intent-driven IaC generator |
SST / Nitro (but for enterprise IaC) |
| Phase 3 |
Convention-governed IaC framework |
Backstage + Terraform (unified) |
| Phase 4 |
Self-reconciling IaC platform |
Full FdI — no equivalent in IaC space today |
Differentiation
Unlike existing FdI tools (Vercel, SST, Nitro) which target frontend/serverless apps:
- ThothCTL FdI targets enterprise infrastructure compositions (VPCs, EKS, RDS, multi-account)
- Works with existing IaC tools (Terraform, Tofu, Terragrunt) — not a replacement
- Security-first — compliance, scanning, and AI review baked into the generation pipeline
- Multi-cloud — not locked to a single provider's serverless platform
- Organization-aware — Spaces encode team conventions, not just technical defaults
Success Metrics
| Metric |
Target |
| Time from idea to deployable IaC |
< 5 minutes (vs hours/days manually) |
| Manual Terraform lines written by developers |
Reduced by 80% |
| Compliance violations at generation time |
0 (caught before code exists) |
| Infrastructure consistency across teams |
100% (governed by Space policies) |
| Cost surprises post-deployment |
Eliminated (pre-generation estimates) |
Timeline Estimate
| Phase |
Target |
Dependency |
| Phase 1 |
v0.16 – v0.17 |
Component catalog design |
| Phase 2 |
v0.18 – v0.19 |
Phase 1 + Strands Agents SDK |
| Phase 3 |
v0.20 – v0.21 |
Phase 2 + policy engine |
| Phase 4 |
v0.22+ |
Phase 3 + production integrations |