TheoCloud abstracts the runtime so you write code, not infrastructure. This page documents the 5-step flow and the trust pillars underneath — at the level of detail a platform engineer needs to evaluate adoption. Internals like specific orchestrator, image registry, and CDN provider are intentionally not named (same posture as Vercel, Render, Railway) — they ship as part of the Enterprise architecture deck under NDA.
git push or theo deploy from CI. Theo reads theo.yaml (open format, not vendor-specific) and your repo at the commit SHA.
Deterministic container build from your stack (Node, Go, Python, Rust, Java, Ruby, PHP, Next.js — same builder TheoCloud uses for every customer). Build is cache-deterministic given the same inputs; bit-for-bit reproducible builds are roadmap. Build logs streamed live.
Image is cryptographically signed before it can deploy. Vulnerability scan runs on every build. Provenance attestation attached for audit.
Image rolls out to your environment. Health checks gate traffic. Canary by tier (Auto on Pro, full control on Team). You get a live URL.
Structured logs, request metrics, agent-specific spans (LLM calls, token spend, sub-agent fan-out). Rollback in seconds — every deploy is reversible with theo rollback.
Each project runs in a managed Kubernetes namespace with per-tenant network policies (default-deny ingress, explicit egress allowlist) and a per-tenant secret namespace. Workloads running LLM-generated code are additionally sandboxed via gVisor (in-tier on Pro+; bare runc on Starter). Enterprise can opt into dedicated cells (1 K8s cluster per tenant) for stronger isolation.
Envelope encryption (AES-256-GCM data key, KMS-wrapped master key, rotated annually). Per-environment scoping. Mounted as env vars at runtime — never persisted to disk on the worker, never logged. Operator access to secrets requires 2-person approval + is audit-logged. BYOK / HYOK (bring your own KMS key, hold your own key) on Enterprise roadmap Q4 2026 with AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault integrations.
Default-deny ingress (only the deploy URL accepts traffic, TLS 1.3+ terminated at the edge with HSTS preload). Egress is allowlist-on-request — by default the runtime can reach package registries (npm/PyPI/crates.io), OIDC providers, and the customer-declared endpoints in theo.yaml.
Annual DR drill report shared with Enterprise customers under MSA NDA. Sev-1 incident communication SLA: 24h to designated DPO + public post-mortem within 5 business days.
The funnel is Apache-2.0. TheoCloud (the runtime) is commercial. Your code never depends on Theo-specific APIs — your repo, theo.yaml, and the container image are portable to any Kubernetes cluster or competitor PaaS. Self-host is available via commercial license. Worst case: rebuild on any orchestrator in under a day.
We'd rather lose you to your own infra than lock you in. Lock-in is a tax on trust.
TheoCode, TheoCreate, TheoKit are Apache-2.0. Every commit, every CI run, every release notes file is public.
C4 diagrams, sequence flows, IaC modules, runbooks, and SLA model ship as part of the Enterprise evaluation kit. Request access via Enterprise.
Honest disclosure: this page is the public-facing architecture overview. The Enterprise architecture deck includes named components, sequence diagrams per critical flow, IaC modules, and a documented threat model. Request via /enterprise.