Skip to main content
Cloudgeni gives agents infrastructure context without giving them deployment control.

The Short Version

  • Agents do not deploy. No direct apply, deploy, or production cloud mutation.
  • Cloud access is read-first. Inventory, findings, resource context, and validation inputs.
  • Changes land as PRs. Your team reviews, merges, and deploys.
  • Runs are scoped. Selected repositories, integrations, tools, and organization data only.

Architecture Overview

Four paths matter:
  • Customer environment: users, Git providers, cloud accounts, and CI/CD stay under customer control.
  • Cloudgeni control plane: the web app, CLI, API, queues, workers, storage, audit logs, and telemetry coordinate work.
  • Read-first cloud path: Cloudgeni reads control-plane metadata, findings, resource relationships, and validation context.
  • Pull-request write path: code changes are delivered through branches and pull requests, then deployed by customer CI/CD.
1

A task starts

A user prompt, schedule, webhook, scan result, drift item, or import request creates work.
2

Cloudgeni authorizes scope

The API resolves organization, workspace, repository, integration, and actor before dispatch.
3

A worker runs the agent

The agent receives selected context, task-specific tools, and an ephemeral run context.
4

Evidence is recorded

Session messages, tool output, scan state, credential usage, audit events, and telemetry are persisted for review.
5

The customer reviews the result

Infrastructure changes land as pull requests or other reviewable session output.

Commitments

Cloudgeni produces reviewable output, not production deployment.
Cloud access is read-first by default. Azure Cost Management Reader is used only for actual billing summaries, not workload data. Git access is scoped to connected providers and selected repositories.
Agent runs use task-specific tools, selected context, and execution limits.
Organization context is enforced through API, worker, storage, and audit paths.
Supported workflows run plan-style or static checks before output is finalized. Sessions, scans, credential usage, and security events are logged.

Data And Credentials

Cloudgeni is a control-plane and IaC-plane product. Cloudgeni needs infrastructure metadata, selected repository content, findings, prompts, generated changes, and audit events. Cloudgeni does not need application databases, runtime traffic, end-user app data, or production secrets embedded in customer systems. Deployment-grade credentials should stay in customer CI/CD. Cloudgeni can generate and validate the proposed IaC; the final plan/apply or deploy step remains customer-controlled.

Infrastructure Agents Guide

Our open guide to designing, building, and operating infrastructure agents safely.

OpenGeni

A self-hostable managed agent service for long-running infrastructure work.

Connect Cloud Accounts

Provider setup paths and read-first cloud access guidance.

AI DevOps

How interactive agent sessions work in the product.