Developers describe their app in a single Wayfinder.yaml. One wf up and they get a real environment, through plans your platform team curates. No Terraform. No tickets.
Free forever · No commitment · Upgrade anytime
Wayfinder.yaml is the app's contract with the platform. Developers declare what they need; Wayfinder picks the approved plan, provisions the cloud and deploys.
apiVersion: app.appvia.io/v3 kind: StackDefinition metadata: name: orderly spec: cloudResources: - name: orders plan: dynamodb-standard - name: events plan: sns-topic kubeResources: - name: api plan: web-service vars: image: ghcr.io/acme/api:latest
$ wf up → resolving plans from catalogue → provisioning orders (dynamodb-standard) → provisioning events (sns-topic) → wiring workload identities → deploying api (web-service) ✓ stack instance ready $ wf access cluster → short-lived kubeconfig issued → kubectl ready for 60 minutes
No hand-coded IAM. No separate CI pipeline. The whole stack - cloud resources, identities, workloads - comes up from the manifest your platform team's plans tell Wayfinder how to build.
The catalogue holds CloudResourcePlans (DynamoDB, Postgres, S3, queues, networks) and KubeResourcePlans (web services, jobs, ingresses). Your platform team authors them with AI help and tests them in your real cloud before they publish. Developers just pick.
Terraform-backed cloud infrastructure with the rough edges already filed off. Each plan knows which cloud it's for and ships with defaults the platform team has signed off on.
dynamodb-standardpostgres-auroras3-private-bucketsns-topicvpc-baselineHelm-backed delivery patterns. Web services, scheduled jobs, ingress routing, anything that runs on the cluster. Variables developers care about, defaults the platform team owns.
web-servicescheduled-jobingress-publicworker-queue-consumercronjob-cleanupThe catalogue is authored by AI agents on the platform-team side. The plan name on the right is all a developer needs to know.
wf up, plans tuned per cloud.A Wayfinder.yaml on Azure looks the same shape as one on AWS. The plans behind the names differ; the developer experience doesn't. Switch cloud by picking a different plan, not by rewriting the app.
Lambdas, API Gateway, DynamoDB, SNS, S3, CloudFront. Managed EKS for Kubernetes workloads. Workload identity via OIDC trust.
examples/quickstart/aws/Wayfinder.yaml
Functions, App Service, CosmosDB, Service Bus, Blob Storage, Front Door. Managed AKS for Kubernetes workloads. Workload identity via OIDC trust.
examples/quickstart/azure/Wayfinder.yaml
Cloud Functions, Cloud Run, Spanner, Pub/Sub, GCS, Cloud CDN. Managed GKE for Kubernetes workloads. Workload identity via OIDC trust.
examples/e2e/wf-up/gcp/Wayfinder.yaml
kubectl. No static cloud keys at runtime.
wf access cluster issues a short-lived kubectl session scoped to the developer's namespace. Workloads reach AWS, Azure or GCP via OIDC trust. No long-term keys in the cluster or on a laptop.
wf access cluster - time-bound kubeconfig mapped to Kubernetes RBACwf access namespace - scoped to the workspace you ownwf access stackinstance - for the running stack's namespaceFor the platform team's side of the same story - per-workload IAM, the audit trail, the policy gates - see Security.
Wayfinder ships its own MCP server. Run wf setup mcp and Claude Code, Cursor, VS Code, Windsurf or Antigravity can query plans, validate Wayfinder.yaml and inspect your resources. Under your RBAC, no extra token.
Real Wayfinder.yaml, real commands, real outcomes - read end-to-end.
Deploy a real event-driven AWS application - 5 Lambdas, API Gateway, CloudFront, DynamoDB, SNS, S3 and a React SPA - from your laptop with one wf up.
A preview environment on every pull request. A throwaway stack on your laptop. wf up on open, wf down on close. No orphans on next month's cloud bill.
Import an existing cluster, share it across workspaces with scoped access, and hand out short-lived kubectl sessions mapped to Kubernetes RBAC.
Free tier. Full platform. One manifest away from running.
Free forever · No commitment · Upgrade anytime