jesus/stratumiops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
stratumiops/docs/en/ops/ops-stratumiops-projects-positioning.md
Jesús Pérez 1680d80a3d
Some checks failed
Rust CI / Security Audit (push) Has been cancelled
Details
Rust CI / Check + Test + Lint (nightly) (push) Has been cancelled
Details
Rust CI / Check + Test + Lint (stable) (push) Has been cancelled
Details
Nickel Type Check / Nickel Type Checking (push) Has been cancelled
Details
chore: Init repo, add docs
2026-01-22 22:15:19 +00:00

31 KiB
Raw Blame History

Ops/DevOps Portfolio: Strategic Positioning

Executive Summary

This document analyzes the five-project portfolio from the Ops/DevOps perspective, positioning them against established market tools:

Project Domain Competes With
Provisioning IaC + Orchestration Terraform, Pulumi, Ansible, CloudFormation
SecretumVault Secrets Management HashiCorp Vault, AWS Secrets Manager, Azure Key Vault
Vapora Agent Orchestration Jenkins, GitHub Actions, Tekton, ArgoCD
TypeDialog Configuration + IaC Gen Terraform modules, Cookiecutter, Yeoman
Kogral Knowledge Management Confluence, Notion, Internal wikis

1. Ops Functionality Matrix

Capabilities per Project

Capability Provisioning SecretumVault Vapora TypeDialog Kogral
Multi-cloud AWS, UpCloud, Local N/A (storage agnostic) N/A Yes (prov-gen) N/A
Declarative IaC Nickel (typed) N/A N/A Generates Nickel N/A
Secrets management Integrates KMS 4 engines Uses vault N/A N/A
Orchestration Rust orchestrator N/A NATS JetStream N/A N/A
Post-Quantum Crypto Via SecretumVault ML-KEM/ML-DSA N/A N/A N/A
Automatic rollback Checkpoints N/A Pipeline rollback N/A N/A
Policy engine Cedar RBAC/ABAC Cedar ABAC Cedar multi-tenant N/A N/A
Audit logging 7 years retention Complete SurrealDB N/A Git history
AI-assisted MCP + RAG N/A LLM routing Agent backend MCP search
REST API Axum control-center Axum vault API Axum backend Axum web backend N/A (MCP)
Storage backends SurrealDB FS/etcd/SurrealDB/PostgreSQL SurrealDB + NATS Multi-format FS + SurrealDB
CLI 80+ shortcuts svault CLI vapora CLI typedialog CLI kogral CLI

Common Technology Stack (Ops Perspective)

┌─────────────────────────────────────────────────────────────────┐
│                    SHARED TECHNOLOGIES                          │
├─────────────────────────────────────────────────────────────────┤
│  Language: Rust (performance, memory-safety)                    │
│  Config: Nickel (pre-runtime validation, lazy eval)             │
│  DB: SurrealDB (multi-model, scopes, time-series)               │
│  Web: Axum (async, composable routing)                          │
│  Messaging: NATS JetStream (at-least-once, persistence)         │
│  Policy: Cedar (ABAC, AWS-compatible)                           │
│  Crypto: OpenSSL, OQS (PQC), AWS-LC, RustCrypto                 │
│  Logging: tracing (structured, JSON output)                     │
└─────────────────────────────────────────────────────────────────┘

2. Positioning vs Competition (Ops Tools)

Provisioning vs Terraform

Aspect Provisioning Terraform
IaC Language Nickel (typed, lazy) HCL (untyped)
Validation Pre-runtime (compilation) Runtime (terraform plan)
Multi-cloud AWS, UpCloud, Local Yes (100+ providers)
AI native MCP + RAG (1000x Python) Terraform Cloud AI (limited)
Orchestration Rust hybrid orchestrator State file + lock
Rollback Automatic with checkpoints Manual (terraform destroy)
Security 39K lines (12 components) Vault plugin, external
Ecosystem ⚠️ Small Huge (Terraform Registry)
Learning curve High (Nickel + Nushell) Moderate (familiar HCL)
Best For Rust teams, typed IaC, AI-assisted General use, large ecosystem

Key differentiator: Provisioning combines typed declarative IaC (Nickel) with AI-assisted generation (MCP + RAG) and hybrid Rust/Nushell orchestration, eliminating configuration errors at compile time.

Provisioning vs Pulumi

Aspect Provisioning Pulumi
IaC Language Nickel (functional) TypeScript/Python/Go
Paradigm Declarative Imperative (code)
State management SurrealDB multi-model Pulumi Cloud / self-hosted
Secrets SecretumVault integrated Pulumi ESC (SaaS)
Multi-cloud AWS, UpCloud, Local Yes (100+ providers)
AI-assisted MCP + RAG native Pulumi AI (experimental)
Testing Nickel contracts Unit tests in code
Best For Pure declarative, typed IaC Developers, imperative code

Key differentiator: Provisioning is pure declarative (Nickel) vs imperative (Pulumi code), with pre-runtime validation and Rust orchestrator for complex workflows.

Provisioning vs Ansible

Aspect Provisioning Ansible
Paradigm Declarative (Nickel IaC) Imperative (playbooks)
Agentless Yes (SSH) Yes (SSH)
Idempotence Nickel contracts YAML tasks (depends on module)
Performance Rust orchestrator (10-50x) Python interpreter
Multi-cloud AWS, UpCloud, Local Yes (cloud modules)
Dependency resolution Automatic topological sort Manual (pre_tasks, post_tasks)
Rollback Automatic with checkpoints Manual (rescue blocks)
Best For Typed IaC, critical performance Configuration management, ad-hoc

Key differentiator: Provisioning is declarative IaC (not imperative playbooks) with Rust orchestrator 10-50x faster than Python, automatic rollback and topological dependency resolution.

SecretumVault vs HashiCorp Vault

Aspect SecretumVault HashiCorp Vault
Language Rust (memory-safe) Go (CGO overhead)
Post-Quantum ML-KEM-768, ML-DSA-65 No roadmap
Crypto backends 4 (OpenSSL, OQS, AWS-LC, RustCrypto) 1 (OpenSSL)
Storage backends 4 (FS, etcd, SurrealDB, PostgreSQL) 10+ (etcd, Consul, S3, etc)
Policy engine Cedar ABAC (AWS-compatible) HCL policies
Shamir unsealing Native Native
Secrets engines 4 (KV, Transit, PKI, Database) 10+ (includes cloud-specific)
Ecosystem ⚠️ Small Huge (plugins, integrations)
License Apache-2.0 BSL (Enterprise paywall)
Best For PQC today, Rust stacks, data sovereignty General use, mature ecosystem

Key differentiator: SecretumVault is the only Rust vault with production-ready post-quantum cryptography (ML-KEM-768, ML-DSA-65 NIST FIPS 203/204), providing cryptographic agility for organizations deploying today.

SecretumVault vs AWS Secrets Manager

Aspect SecretumVault AWS Secrets Manager
Multi-cloud Any cloud or on-premise AWS-only
Self-hosted Full control SaaS only
Post-Quantum ML-KEM + ML-DSA None
Crypto backends 4 pluggable 1 (AWS KMS)
Dynamic secrets Database engine RDS integration
Vendor lock-in Portable ⚠️ High (AWS-specific)
Cost Self-hosted (infra cost) $0.40/secret/month + API calls
Best For Multi-cloud, PQC, data sovereignty AWS-native apps, managed service

Key differentiator: SecretumVault is multi-cloud and self-hosted with native PQC, vs AWS Secrets Manager cloud-only without post-quantum roadmap.

Vapora vs Jenkins

Aspect Vapora Jenkins
Paradigm Agent orchestration (AI) Pipeline orchestration (CI/CD)
Agents LLM-powered (Claude, GPT, Gemini) Build agents (workers)
Orchestration NATS JetStream Master-worker
Learning Expertise profiles, recency bias No (static)
Budget control Per-role limits, fallback N/A
Pipeline definition Tasks + agent roles Jenkinsfile (Groovy)
UI Leptos WASM (Kanban) Web UI (Java)
Best For AI-assisted operations, LLM orchestration Traditional CI/CD, build automation

Key differentiator: Vapora orchestrates intelligent LLM agents with learning and cost control, not traditional build agents.

Vapora vs GitHub Actions

Aspect Vapora GitHub Actions
Self-hosted Kubernetes native Self-hosted runners
Agents LLM-powered with roles Workflow runners
Orchestration NATS JetStream GitHub infrastructure
Learning Expertise profiles No (static)
Budget control LLM cost limits Minutes-based billing
Multi-tenant SurrealDB scopes + Cedar Repository-level
Best For AI operations, agent coordination GitHub-native CI/CD, simple workflows

Key differentiator: Vapora is an AI agent orchestration platform with learning, not a CI/CD workflow runner.

TypeDialog (prov-gen) vs Terraform Modules

Aspect TypeDialog (prov-gen) Terraform Modules
Input method TOML forms (CLI/TUI/Web) Variables (.tfvars)
Validation Nickel contracts (pre-runtime) Variable validation (runtime)
Output format Nickel IaC HCL
Multi-backend 6 (CLI/TUI/Web/AI/Agent/Prov-gen) CLI only
IaC generation Tera templates + validation Module composition
Best For Interactive wizards, self-service Reusable modules, Terraform ecosystem

Key differentiator: TypeDialog unifies input capture (CLI/TUI/Web) with validated IaC generation (Nickel), not just reusable modules.

Kogral vs Confluence

Aspect Kogral Confluence
Target Development/ops teams General teams
Git-native Markdown + YAML frontmatter Cloud/Server
Node types 6 specialized (ADR, Pattern, etc) Generic pages
MCP Server Claude Code native No
Semantic search fastembed + cloud embeddings Internal search
Self-hosted Filesystem + SurrealDB Cloud or Data Center
Best For Dev/Ops knowledge, AI integration General documentation, wikis

Key differentiator: Kogral is specifically designed for technical knowledge (runbooks, ADRs, postmortems) with native AI integration via MCP.

3. Use Cases and Context (Ops Perspective)

When to Use Each Project

┌─────────────────────────────────────────────────────────────────┐
│  "I need to provision multi-cloud infrastructure with IaC"      │
│  → Provisioning (Nickel IaC, multi-cloud, orchestrator)         │
├─────────────────────────────────────────────────────────────────┤
│  "I want secrets management with post-quantum preparation"      │
│  → SecretumVault (PQC ML-KEM/ML-DSA, 4 crypto backends)         │
├─────────────────────────────────────────────────────────────────┤
│  "I need to orchestrate AI agents for operational tasks"        │
│  → Vapora (DevOps/Monitor/Security agents, NATS, budget)        │
├─────────────────────────────────────────────────────────────────┤
│  "I want configuration wizards that generate IaC"               │
│  → TypeDialog (prov-gen backend, CLI/TUI/Web)                   │
├─────────────────────────────────────────────────────────────────┤
│  "I need to preserve runbooks and incident postmortems"         │
│  → Kogral (6 node types, MCP, git-native)                       │
└─────────────────────────────────────────────────────────────────┘

Decision Matrix by Ops Context

Context Main Project Supporting Projects
Multi-cloud provisioning Provisioning TypeDialog (wizards), SecretumVault (certs), Kogral (ADRs)
PQC secrets management SecretumVault Provisioning (infrastructure), Kogral (policies)
Incident response Vapora (Monitor/DevOps agents) Kogral (runbooks/postmortems), SecretumVault (credentials)
CI/CD automation Vapora (DevOps agent) Provisioning (deploy), SecretumVault (secrets), Kogral (guidelines)
Infrastructure self-service TypeDialog (prov-gen) Provisioning (apply IaC), Kogral (docs)
Knowledge preservation Kogral Vapora (execution tracking), TypeDialog (export)
Disaster recovery Provisioning (rollback) SecretumVault (backup), Kogral (procedures)

4. Why They Are Necessary (Ops Perspective)

Problems They Solve

Provisioning: The Fragile YAML Problem

BEFORE                             AFTER (Provisioning)
─────────────────────────────────  ─────────────────────────────────
Untyped YAML, runtime errors       Typed Nickel, compile-time errors
Fragile imperative scripts         Declarative workflows with rollback
Terraform state drift              SurrealDB with time-series
No AI assistance                   MCP + RAG (1000x Python)
Manual dependency management       Automatic topological sort

SecretumVault: The Quantum Cryptography Problem

BEFORE                             AFTER (SecretumVault)
─────────────────────────────────  ─────────────────────────────────
Vault in Go (no memory-safety)     Rust with memory guarantees
Classical crypto only (vulnerable) Post-quantum (ML-KEM, ML-DSA)
Fixed crypto backend               Pluggable backends (agility)
SaaS lock-in (AWS, Azure)          Complete self-hosted
No quantum threat preparation      Deploy PQC today, gradual migration

Vapora: The Manual Ops Coordination Problem

BEFORE                             AFTER (Vapora)
─────────────────────────────────  ─────────────────────────────────
Ad-hoc scripts without coordination NATS JetStream orchestration
LLMs without cost control          Budget enforcement + fallback
Agents without historical context  Expertise profiles + recency bias
Manual handoffs (deploy → monitor) Automated pipelines with roles
No execution visibility            Prometheus metrics + SurrealDB

TypeDialog (prov-gen): The Manual Configuration Problem

BEFORE                             AFTER (TypeDialog)
─────────────────────────────────  ─────────────────────────────────
Error-prone manual configuration   Validated forms (Nickel)
CLI ≠ Web ≠ TUI interfaces         1 TOML → 6 backends
No IaC generation                  prov-gen → multi-cloud Nickel
Runtime validation                 Pre-runtime validation (contracts)

Kogral: The Lost Ops Knowledge Problem

BEFORE                             AFTER (Kogral)
─────────────────────────────────  ─────────────────────────────────
Scattered Confluence runbooks      Git-native, versioned
Unsearchable postmortems           Semantic search + MCP
Lost infrastructure ADRs           Decision nodes with relationships
Incidents without historical context Execution nodes with timeline
SRE onboarding takes weeks         Semantic search in days

5. What Makes Them Different (Ops Perspective)

Unique Features per Project

Provisioning

  1. Nickel IaC: Only with lazy-eval typed language as primary (not HCL, not YAML)
  2. Hybrid orchestrator: Rust (performance) + Nushell (flexibility)
  3. MCP 1000x faster: Rust-native vs Python implementations
  4. 39K lines security: 12 enterprise components (JWT, Cedar, MFA, audit, KMS)
  5. 80+ CLI shortcuts: Optimized developer experience with guided wizards

SecretumVault

  1. Native Post-Quantum: ML-KEM-768, ML-DSA-65 (NIST FIPS 203/204) production-ready today
  2. 4 crypto backends: OpenSSL, OQS, AWS-LC, RustCrypto (cryptographic agility without code changes)
  3. 4 storage backends: Filesystem, etcd, SurrealDB, PostgreSQL (deployment flexibility)
  4. Shamir Secret Sharing: Distributed unsealing with configurable threshold (3-of-5, 5-of-7, etc)
  5. Cedar ABAC: AWS-compatible authorization policies (portable, no vendor lock-in)

Vapora

  1. Learning-based selection: Scoring 0.3*load + 0.5*expertise + 0.2*confidence with 3x recency bias (last 7 days)
  2. Budget enforcement: Per-role hard caps (monthly/weekly) with automatic fallback to cheaper providers
  3. NATS JetStream: At-least-once coordination, message persistence, distributed
  4. 12 agent roles: Architect, Developer, CodeReviewer, Tester, Documenter, Marketer, Presenter, DevOps, Monitor, Security, ProjectManager, DecisionMaker
  5. Native multi-tenant: SurrealDB scopes + Cedar RBAC, complete isolation

TypeDialog

  1. 6 unified backends: CLI/TUI/Web/AI/Agent/Prov-gen from same TOML
  2. Prov-gen IaC generation: AWS/GCP/Azure/Hetzner/UpCloud from typed forms
  3. Nickel contracts: Pre-runtime validation with type-safe schemas
  4. 3,818 tests: Exhaustive coverage (503% growth), production-ready
  5. Native multi-language: Fluent bundles for i18n without reimplementing logic

Kogral

  1. 6 specialized node types: Note, Decision (ADR), Guideline, Pattern, Journal, Execution (for ops/incidents)
  2. Hybrid embeddings: Local fastembed (privacy) + cloud (production)
  3. Native MCP: 7 tools for Claude Code, no extra configuration required
  4. Git-native: Everything versioned markdown, no external SaaS, full control
  5. Guideline inheritance: Org → Project with priority, cross-team consistency

6. Synergies and Reuse (Ops Workflows)

Ops Integration Flow

                    ┌──────────────────┐
                    │    Kogral        │
                    │ (Runbooks, ADRs) │
                    └────────┬─────────┘
                             │ Operational knowledge
                             ▼
┌──────────────┐    ┌──────────────────┐    ┌──────────────┐
│  TypeDialog  │───▶│     Vapora       │───▶│ Provisioning │
│ (Wizards)    │    │ (Ops Agents)     │    │ (IaC Deploy) │
└──────────────┘    └──────────────────┘    └──────────────┘
      │                     │                     │
      │ Configuration       │ Orchestration       │ Infrastructure
      ▼                     ▼                     ▼
┌─────────────────────────────────────────────────────────────┐
│                  SECRETUMVAULT                              │
│  PKI certs │ Dynamic DB creds │ API keys │ Encryption       │
└─────────────────────────────────────────────────────────────┘

Reusable Components (Ops Stack)

Component Origin Reused In
SurrealDB schemas Vapora Kogral, Provisioning, SecretumVault (optional)
Nickel contracts Provisioning TypeDialog (prov-gen validation)
Cedar policies Provisioning SecretumVault, Vapora (multi-tenant)
Axum API patterns Vapora Provisioning (control-center), SecretumVault (vault API)
tracing setup Vapora All (structured logging)
Crypto backends SecretumVault Provisioning (KMS integration)
NATS patterns Vapora Provisioning (future messaging), SecretumVault (HA)

Synergy Scenarios (Ops Workflows)

Scenario 1: Zero-Touch Provisioning with AI

1. TypeDialog (prov-gen): SRE completes web wizard
   - Cloud provider, region, cluster size, services
   - Generates Nickel IaC validated with contracts

2. Kogral: MCP provides deployment guidelines
   - "What is our cluster naming policy?"
   - "What security groups do we apply by default?"

3. Provisioning: Orchestrator deploys infrastructure
   - Servers → networking → storage → services
   - Checkpoints per step, automatic rollback if fails

4. SecretumVault: Generates certificates and secrets
   - PKI engine: etcd, kube-apiserver, kubelet certs (ML-DSA-65 PQC)
   - Database engine: PostgreSQL dynamic credentials (TTL 1h)

5. Vapora: Post-deployment automation
   - Monitor Agent: Setup Prometheus alerts, health checks
   - Security Agent: Vulnerability scan, compliance check
   - DevOps Agent: Deploy baseline apps (Ingress, cert-manager)

6. Kogral: Documents deployment
   - Execution node with timestamp, created resources, configuration
   - Links to architecture ADRs, maintenance runbooks

Scenario 2: Automated Incident Response

1. Vapora Monitor Agent: Detects anomaly (PostgreSQL down)
   - Alert via NATS JetStream
   - Trigger incident response pipeline

2. Kogral: Claude Code queries runbooks via MCP
   - search("postgresql outage troubleshooting")
   - Returns 3 similar postmortems with resolutions

3. Vapora DevOps Agent: Executes automated runbook
   - Verify PostgreSQL process (systemctl status)
   - Check logs (/var/log/postgresql)
   - Restart if needed with adjusted parameters

4. SecretumVault: Rotates compromised credentials
   - Database engine generates new dynamic credentials
   - Updates connected apps via secret injection

5. Vapora Security Agent: Post-incident audit
   - Review access logs, configuration changes
   - Generate compliance report

6. Kogral: Documents postmortem
   - Execution node with root cause, timeline, resolution
   - Links to PostgreSQL configuration ADRs
   - Action items to prevent recurrence

Scenario 3: Gradual Post-Quantum Migration

1. Kogral: Documents strategic decision
   - ADR: "Gradual migration to post-quantum cryptography"
   - Rationale: Preparation for quantum threats (harvest now, decrypt later)
   - Timeline: Q1 2026 testing, Q2 2026 staging, Q3 2026 production

2. SecretumVault: Migrates secrets in staging
   - Backend switch: openssl → oqs (ML-KEM-768)
   - Re-encrypts existing secrets with PQC
   - Dual-stack: classical for legacy, PQC for new services

3. Provisioning: Updates PKI infrastructure
   - Generates new certificates with ML-DSA-65 (PQC signatures)
   - Deploys certificates to services (etcd, K8s API, service mesh)
   - Health checks: latency not degraded, handshakes correct

4. Vapora: Orchestrates comprehensive validation
   - Security Agent: Verifies correct cryptographic algorithms
   - Monitor Agent: Benchmark latency (PQC vs classical)
   - DevOps Agent: Integration tests with PQC certificates

5. TypeDialog: Self-service portal for teams
   - Form: "Migrate service to PQC"
   - Input: service name, migration strategy (gradual/immediate)
   - prov-gen: Generates updated configuration (Nickel)

6. Kogral: Migration tracking
   - Execution nodes per migrated service
   - Metrics: services migrated, performance impact, issues
   - Lessons learned: what worked, what to improve

Scenario 4: Multi-Cloud Disaster Recovery

1. Kogral: Disaster recovery runbook
   - Procedure: "Failover from AWS to UpCloud in <1h"
   - Prerequisites, detailed steps, validation

2. Vapora: Automatic trigger (AWS region down)
   - Monitor Agent detects regional outage
   - ProjectManager Agent declares disaster recovery mode
   - DevOps Agent executes Kogral runbook

3. Provisioning: Deploys replica on UpCloud
   - Multi-cloud Nickel IaC (change: provider = "upcloud")
   - Orchestrator deploys: servers → networking → K8s → apps
   - Checkpoints: rollback to AWS if UpCloud also fails

4. SecretumVault: Synchronizes secrets
   - Cross-region etcd replication (AWS → UpCloud)
   - PKI engine generates certificates for UpCloud region
   - Database engine: new DB dynamic credentials

5. TypeDialog: DNS failover wizard
   - Form: Update DNS records (Route53 → NS1)
   - Validation: TTL check, propagation time

6. Kogral: Documents incident
   - Execution node: timeline, decisions, metrics
   - RTO achieved, RPO achieved, issues encountered
   - Postmortem: what to improve in runbook

7. Dependencies and Adoption Order (Ops Teams)

Dependency Graph

                 SecretumVault (standalone)
                    │
                    │ provides secrets to
                    ▼
Kogral ◄────────────────────────► Provisioning
(standalone)                      (can integrate vault)
   │                                   │
   │ provides runbooks to              │ deploys infrastructure for
   ▼                                   ▼
              Vapora
         (integrates all)
              │
              │ uses wizards from
              ▼
           TypeDialog
      (prov-gen → Provisioning)

Recommended Adoption Order (Ops Perspective)

Phase Project Reason Dependencies
1 SecretumVault Critical secrets management, no dependencies None (standalone)
2 Kogral Operational knowledge base (runbooks, ADRs) None (standalone)
3 Provisioning Declarative IaC, can integrate SecretumVault (optional) Optional: SecretumVault (KMS)
4 TypeDialog Configuration wizards, prov-gen for Provisioning Optional: Provisioning (IaC apply)
5 Vapora Agent orchestration, integrates all previous Kogral (runbooks), SecretumVault (creds), Provisioning (deploy)

Note: Each project is functional independently, but synergies emerge with progressive adoption.

8. Ecosystem Comparison

STRATUMIOPS Ops vs HashiCorp Stack

Component STRATUMIOPS HashiCorp
IaC Provisioning (typed Nickel) Terraform (untyped HCL)
Secrets SecretumVault (Rust, PQC) Vault (Go, no PQC)
Orchestration Vapora (LLM agents) Nomad (workload scheduler)
Service Mesh Integrates Istio Consul Connect
Policy Cedar (AWS-compatible) Sentinel (HCL)
Language Rust (memory-safe) Go (garbage collector)
AI-assisted MCP + RAG native Terraform Cloud AI (limited)
License Apache-2.0 BSL (Enterprise paywall)
Ecosystem ⚠️ Small Huge

STRATUMIOPS Ops vs AWS Native Stack

Component STRATUMIOPS AWS Native
IaC Provisioning (multi-cloud) CloudFormation (AWS-only)
Secrets SecretumVault (PQC, self-hosted) Secrets Manager (SaaS, no PQC)
Orchestration Vapora (self-hosted K8s) Step Functions (SaaS)
CI/CD Vapora DevOps Agent CodePipeline + CodeBuild
Storage SurrealDB multi-model DynamoDB + RDS
Policy Cedar (portable) IAM (AWS-specific)
Multi-cloud AWS/UpCloud/Local AWS-only
Vendor lock-in Portable ⚠️ High
Cost Self-hosted (infra cost) SaaS (per-use billing)

9. Portfolio Metrics (Ops Perspective)

Metric Provisioning SecretumVault Vapora TypeDialog Kogral Total
Lines of Code ~40K ~11K ~50K ~90K ~15K ~206K
Tests 218 50+ 218 3,818 56 4,360+
CLI Commands 80+ shortcuts 10+ (svault) 10+ (vapora) 6 backends 13 commands 100+
Storage Backends SurrealDB 4 (FS/etcd/SurrealDB/PostgreSQL) SurrealDB + NATS Multi-format FS + SurrealDB 4 backends
API Endpoints 40+ (control-center) 20+ (vault API) 40+ (backend) 10+ (web) N/A (MCP) 100+
Policy Engine Cedar RBAC/ABAC Cedar ABAC Cedar multi-tenant N/A N/A Cedar AWS-compatible
Crypto Backends 5 KMS 4 (OpenSSL, OQS PQC, AWS-LC, RustCrypto) N/A N/A N/A 4 backends
Multi-cloud AWS/UpCloud/Local N/A N/A Yes (prov-gen) N/A 3 clouds

10. Conclusion (Ops/DevOps Teams)

This portfolio represents a cohesive ecosystem for modern operations:

  • Provisioning is the muscle: deploys multi-cloud infrastructure with typed IaC and automatic rollback
  • SecretumVault is the vault: protects secrets with production-ready post-quantum cryptography
  • Vapora is the brain: orchestrates Ops agents (DevOps, Monitor, Security) with learning and cost control
  • TypeDialog is the interface: configuration wizards that generate validated multi-cloud IaC
  • Kogral is the memory: preserves runbooks, postmortems and operational knowledge

The key differentiation versus alternatives (Ops perspective):

  1. Full Rust stack: Performance (10-50x Python), memory-safety, zero-cost abstractions
  2. Typed Nickel IaC: Configuration errors detected at compile time, not at runtime
  3. Post-Quantum ready: SecretumVault with native ML-KEM-768/ML-DSA-65, deploy today
  4. AI-native from design: MCP + RAG integrated, not retrofitted
  5. Unified multi-cloud: One Nickel configuration for AWS/UpCloud/Local
  6. Enterprise security: Cedar policies, audit logging, RBAC/ABAC, 7 years retention

The synergy between projects enables addressing operations with:

  • Typed and validated infrastructure (Provisioning)
  • Secrets with cryptographic agility (SecretumVault)
  • Intelligent Ops agent orchestration (Vapora)
  • Configuration wizards (TypeDialog)
  • Preserved operational knowledge (Kogral)

Best for: DevOps/SRE teams valuing type-safety, performance, PQC readiness, multi-cloud, and self-hosted infrastructure over mature ecosystems with vendor lock-in.

Document generated: 2026-01-22 Type: info (Ops/DevOps positioning)