Deterministic Verification for Infrastructure as Code (IaC)
"Don't let AI hallucinate your cloud bill to $20,000."
AI agents like Devin, GitHub Copilot Workspace, and Cursor are writing Terraform and Kubernetes configs. But AI doesn't understand consequences.
| Case | What AI Wrote | Real World Impact |
|---|---|---|
| IAM Permission | Action: "s3:*", Resource: "*" |
Data Breach: Entire bucket exposed to public. |
| Network Rule | Ingress: 0.0.0.0/0, Port: 22 |
Ransomware: SSH open to the whole internet. |
| Instance Type | instance_type = "p4d.24xlarge" |
Bankrupt: $23,000/month bill for a dev env. |
- A Mathematical Proof Engine: Uses Z3 Theorem Prover to prove your IAM policies are secure.
- A Graph Analyzer: Uses NetworkX to map and verify network reachability (Reachability Analysis).
- Deterministic: Inputs are code, output is
True/Falsewith 100% certainty. - A "Guard" Layer: Plugs into CI/CD to block AI-generated PRs that violate rules.
- A Linter: We don't just check syntax (like TFLint). We check logic.
- A Cost Explorer: We predict costs before deployment, not after you get the bill.
- Black Box AI: We don't use LLMs to verify LLMs. We use Math.
| Feature | TFLint / Checkov / TFSec | QWED-Infra |
|---|---|---|
| Approach | Regex / Static Pattern Matching | Symbolic Execution (Z3) & Graph Theory |
| IAM Logic | Can catch s3:* text match |
Proves Allow overrides Deny logically |
| Network | Checks generic "port 22 open" | Traces Internet -> IGW -> Route -> SG -> VM |
| Cost | N/A (usually distinct tools) | Deterministic Pre-Deployment Estimation |
| Accuracy | High False Positives | Mathematically Proven Correctness |
Converts AWS IAM Policies into logical formulas.
- Wildcards: Handles
s3:Get*vss3:GetObject. - Logic: Proves
Denystatements always win. - Context: Verifies against specific conditions (e.g.,
aws:SourceIp).
Builds a directed graph of your VPC.
- Reachability: "Can an attacker on the Internet reach my Database?"
- Path Analysis: Traces routes through Subnets, NACLs, and Security Groups.
Prevents financial ruin.
- Static Catalog: Embedded prices for standard AWS resources.
- Budget Checks:
if estimated_cost > $500: Block Deployment.
pip install qwed-infra(Node.js/npm SDK coming soon)
from qwed_infra import IamGuard
guard = IamGuard()
policy = {
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "*",
"Condition": {"IpAddress": {"aws:SourceIp": "192.168.1.0/24"}}
}
# Verify: Is it accessible from the public internet?
result = guard.verify_access(
policy,
action="s3:GetObject",
resource="my-bucket",
context={"aws:SourceIp": "8.8.8.8"} # Public IP
)
print(result.allowed) # -> False (Blocked by IP)from qwed_infra import NetworkGuard
net = NetworkGuard()
infra = {
"subnets": [{"id": "public", "routes": "igw"}],
"instances": [{"id": "web", "subnet": "public", "sg": "open-sg"}]
}
# Is the instance reachable from Internet?
print(net.verify_reachability(infra, "internet", "web"))
# -> True (Risk Alert!)from qwed_infra import CostGuard
cost = CostGuard()
resources = [{"type": "p4d.24xlarge", "count": 2}] # Expensive!
result = cost.verify_budget(resources, budget_monthly=1000)
print(result.within_budget) # -> False
print(result.reason) # -> "Est. $46,000 > Budget $1,000"Q: Do I need Terraform installed?
A: No. qwed-infra parses .tf files as text using a custom HCL parser (or operates on JSON plans).
Q: Can it verify Kubernetes? A: Currently focuses on AWS Terraform. K8s Manifest verification is on the roadmap (Phase 19).
Q: Why standard pricing?
A: We use public On-Demand pricing for "Worst Case" estimation. If you have Enterprise Discounts, qwed-infra ensures you remain safe even at list price.
- โ v0.1.0: IAM Z3 Logic, Basic Network Graph, Static Cost Catalog. (Released)
- ๐ง v0.2.0: K8s Manifest Verification, Azure Support.
- ๐ฎ v1.0.0: VS Code Extension & GitHub App Auto-Commenter.
| Package | What it does |
|---|---|
| qwed-verification | Core deterministic AI verification (Math, Logic, Code) |
| qwed-open-responses | Guards for OpenAI/LangChain agent outputs |
| qwed-infra โ you are here | IaC verification (Terraform/IAM/Network/Cost) |
| qwed-a2a | Agent-to-Agent verification protocol |
| qwed-mcp | Model Context Protocol verification |
| qwed-ucp | Unified Context Protocol |
| qwed-finance | Financial computation verification |
| qwed-tax | Tax calculation verification |
| qwed-legal | Legal document verification |
| qwed-learning | Educational content verification |
Apache 2.0 - Open Source.
Safe Infrastructure is Scalable Infrastructure.
Built by QWED-AI
Built by QWED-AI