clu
Roadmap

Where Clu is going.

An honest look at what we're shipping right now, what's queued for the next few releases, and what's on the horizon once Clu opens beyond the AWS Marketplace preview.

Roadmap items are directional. Priorities can shift based on pilot feedback — if something here matters to your team, tell us and we'll move it up.

What we've already shippedInfluence the roadmap
Now

Preview / pilot stabilization on AWS Marketplace

  1. Multi-tenant audit scoping

    Audit log filtered per operator so chat history and write attempts are visible only to the operator who made them.

  2. Approval-payload integrity

    Signed approval payloads so a staged write can't be tampered with between operator approval and dispatch.

  3. Hardening pass

    CSRF on every write endpoint, idempotent approval decisions, SSE buffer + reconnect handling, error boundaries on every view, and Markdown sanitization on agent output.

  4. Marketplace listing polish

    Pod-identity association, configuration schema, and IRSA-required signal on the EKS Add-on listing — final cleanup before flipping the listing out of preview.

Next

Coming over the next few releases

  1. Topology view rework

    Hierarchical Nodes → Namespaces → workloads graph with severity rollups, drill-down highlighting from the dashboard, and quick-action overlays straight off the canvas.

  2. Releases panel

    A first-class view of every Helm release and write-op the agent has applied, with per-row quick actions (uninstall, patch values, patch manifest) all running through the same approval flow.

  3. Cost-aware monitor on the green path

    After an approved write lands, Clu watches for healthy rollout and reports outcome with zero LLM spend on the common case. Today the agent stays in the loop until rollout settles, which costs tokens it shouldn't need to spend.

  4. Curated knowledge bundles

    Cloudology publishes signed K8s and cloud best-practice bundles that your cluster's agent picks up on a refresh cadence — keeps the agent current on patterns and gotchas without re-prompting and without your cluster reaching the public internet.

  5. Deeper IDP capability

    Approval-gated `helm uninstall` and Kubernetes `delete`, plus a provenance check that prefers `helm uninstall` over raw `kubectl delete` for resources owned by a chart so the chart manifest stays the source of truth.

  6. In-product upgrade indicator

    A version-finder running inside the cluster surfaces when a newer Clu release is available with a one-line summary of what's in it.

  7. Direct-tool slash commands

    `/kubectl`, `/aws`, `/helm` — bypass the LLM entirely for the times you already know what you want to run, while keeping the same audit-log + approval surface.

Later

Post-preview — sequenced after the public flip

  1. Platform expansion

    Azure AKS and Google GKE support — same Core observability surface, with provider-specific Cloud bindings for IAM and managed-service inventory. On-prem / self-managed Kubernetes ships in parallel without the Cloud capability.

  2. Public-registry distribution

    GHCR-distributed images and chart with a self-managed license, opening Clu to customers who can't or won't go through AWS Marketplace billing. Marketplace stays the easiest path for AWS shops.

  3. Enterprise Marketplace listing

    Private-Offer pricing on the AWS Marketplace listing for customers negotiating committed-spend deals through their AWS reps.

  4. Pluggable observability

    Bring-your-own metric collector — Datadog, OpenTelemetry, New Relic, Grafana Mimir, VictoriaMetrics, Grafana Cloud. Same dashboard widgets, your existing pipeline.

  5. Per-operator identity

    Move beyond proxy-injected operator headers to first-class identity (OIDC group claims, RBAC-aware capability gating) so larger teams can give different operators different write scope.

  6. External scanner overlays

    Trivy, Grype, and Amazon ECR scan results layered onto the topology graph so security findings sit where the workload sits.

  7. Clu CLI

    Terminal-driven access to the IDP scaffolding and write tools for operators who'd rather drive from the shell. Same approval flow either way.

  8. In-product model picker

    Switch the agent's per-tier model from inside the UI without redeploying — for teams that want to A/B providers or move between Bedrock and an OpenAI-compatible endpoint over time.

Already in your cluster

Core (always-on troubleshooting, knowledge graph, health reports), Core Plus (approval-gated writes), and Cloud (AWS IAM mapping, managed-service inventory, cost analysis) are all live in the v0.2.x line. The Developer Platform capability (self-serve developer onboarding — golden paths, manifest emission) ships in a follow-up. All four are included at the single flat AWS Marketplace rate. See the changelog for per-release detail and the capabilities overview for what each tier does today.