jesus/stratumiops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
stratumiops/docs/en/ops/ops-stratumiops-projects-positioning.md
Jesús Pérez 1680d80a3d
Some checks failed
Rust CI / Security Audit (push) Has been cancelled
Details
Rust CI / Check + Test + Lint (nightly) (push) Has been cancelled
Details
Rust CI / Check + Test + Lint (stable) (push) Has been cancelled
Details
Nickel Type Check / Nickel Type Checking (push) Has been cancelled
Details
chore: Init repo, add docs
2026-01-22 22:15:19 +00:00

624 lines
31 KiB
Markdown
Raw Blame History

# Ops/DevOps Portfolio: Strategic Positioning
## Executive Summary
This document analyzes the five-project portfolio from the Ops/DevOps perspective, positioning them against established market tools:
| Project | Domain | Competes With |
| --------- | -------- | --------------- |
| **Provisioning** | IaC + Orchestration | Terraform, Pulumi, Ansible, CloudFormation |
| **SecretumVault** | Secrets Management | HashiCorp Vault, AWS Secrets Manager, Azure Key Vault |
| **Vapora** | Agent Orchestration | Jenkins, GitHub Actions, Tekton, ArgoCD |
| **TypeDialog** | Configuration + IaC Gen | Terraform modules, Cookiecutter, Yeoman |
| **Kogral** | Knowledge Management | Confluence, Notion, Internal wikis |
---
## 1. Ops Functionality Matrix
### Capabilities per Project
| Capability | Provisioning | SecretumVault | Vapora | TypeDialog | Kogral |
| ------------ | -------------- | --------------- | -------- | ------------ | -------- |
| **Multi-cloud** | AWS, UpCloud, Local | N/A (storage agnostic) | N/A | Yes (prov-gen) | N/A |
| **Declarative IaC** | Nickel (typed) | N/A | N/A | Generates Nickel | N/A |
| **Secrets management** | Integrates KMS | ✅ 4 engines | Uses vault | N/A | N/A |
| **Orchestration** | Rust orchestrator | N/A | NATS JetStream | N/A | N/A |
| **Post-Quantum Crypto** | Via SecretumVault | ✅ ML-KEM/ML-DSA | N/A | N/A | N/A |
| **Automatic rollback** | ✅ Checkpoints | N/A | Pipeline rollback | N/A | N/A |
| **Policy engine** | Cedar RBAC/ABAC | Cedar ABAC | Cedar multi-tenant | N/A | N/A |
| **Audit logging** | 7 years retention | ✅ Complete | ✅ SurrealDB | N/A | Git history |
| **AI-assisted** | MCP + RAG | N/A | LLM routing | Agent backend | MCP search |
| **REST API** | Axum control-center | Axum vault API | Axum backend | Axum web backend | N/A (MCP) |
| **Storage backends** | SurrealDB | FS/etcd/SurrealDB/PostgreSQL | SurrealDB + NATS | Multi-format | FS + SurrealDB |
| **CLI** | 80+ shortcuts | svault CLI | vapora CLI | typedialog CLI | kogral CLI |
### Common Technology Stack (Ops Perspective)
```
┌─────────────────────────────────────────────────────────────────┐
│ SHARED TECHNOLOGIES │
├─────────────────────────────────────────────────────────────────┤
│ Language: Rust (performance, memory-safety) │
│ Config: Nickel (pre-runtime validation, lazy eval) │
│ DB: SurrealDB (multi-model, scopes, time-series) │
│ Web: Axum (async, composable routing) │
│ Messaging: NATS JetStream (at-least-once, persistence) │
│ Policy: Cedar (ABAC, AWS-compatible) │
│ Crypto: OpenSSL, OQS (PQC), AWS-LC, RustCrypto │
│ Logging: tracing (structured, JSON output) │
└─────────────────────────────────────────────────────────────────┘
```
---
## 2. Positioning vs Competition (Ops Tools)
### Provisioning vs Terraform
| Aspect | Provisioning | Terraform |
| -------- | -------------- | ----------- |
| **IaC Language** | Nickel (typed, lazy) | HCL (untyped) |
| **Validation** | Pre-runtime (compilation) | Runtime (terraform plan) |
| **Multi-cloud** | AWS, UpCloud, Local | Yes (100+ providers) |
| **AI native** | MCP + RAG (1000x Python) | Terraform Cloud AI (limited) |
| **Orchestration** | Rust hybrid orchestrator | State file + lock |
| **Rollback** | Automatic with checkpoints | Manual (terraform destroy) |
| **Security** | 39K lines (12 components) | Vault plugin, external |
| **Ecosystem** | ⚠️ Small | ✅ Huge (Terraform Registry) |
| **Learning curve** | High (Nickel + Nushell) | Moderate (familiar HCL) |
| **Best For** | Rust teams, typed IaC, AI-assisted | General use, large ecosystem |
**Key differentiator**: Provisioning combines typed declarative IaC (Nickel) with AI-assisted generation (MCP + RAG) and hybrid Rust/Nushell orchestration, eliminating configuration errors at compile time.
### Provisioning vs Pulumi
| Aspect | Provisioning | Pulumi |
| -------- | -------------- | -------- |
| **IaC Language** | Nickel (functional) | TypeScript/Python/Go |
| **Paradigm** | Declarative | Imperative (code) |
| **State management** | SurrealDB multi-model | Pulumi Cloud / self-hosted |
| **Secrets** | SecretumVault integrated | Pulumi ESC (SaaS) |
| **Multi-cloud** | AWS, UpCloud, Local | Yes (100+ providers) |
| **AI-assisted** | MCP + RAG native | Pulumi AI (experimental) |
| **Testing** | Nickel contracts | Unit tests in code |
| **Best For** | Pure declarative, typed IaC | Developers, imperative code |
**Key differentiator**: Provisioning is pure declarative (Nickel) vs imperative (Pulumi code), with pre-runtime validation and Rust orchestrator for complex workflows.
### Provisioning vs Ansible
| Aspect | Provisioning | Ansible |
| -------- | -------------- | --------- |
| **Paradigm** | Declarative (Nickel IaC) | Imperative (playbooks) |
| **Agentless** | Yes (SSH) | Yes (SSH) |
| **Idempotence** | Nickel contracts | YAML tasks (depends on module) |
| **Performance** | Rust orchestrator (10-50x) | Python interpreter |
| **Multi-cloud** | AWS, UpCloud, Local | Yes (cloud modules) |
| **Dependency resolution** | Automatic topological sort | Manual (pre_tasks, post_tasks) |
| **Rollback** | Automatic with checkpoints | Manual (rescue blocks) |
| **Best For** | Typed IaC, critical performance | Configuration management, ad-hoc |
**Key differentiator**: Provisioning is declarative IaC (not imperative playbooks) with Rust orchestrator 10-50x faster than Python, automatic rollback and topological dependency resolution.
### SecretumVault vs HashiCorp Vault
| Aspect | SecretumVault | HashiCorp Vault |
| -------- | --------------- | ----------------- |
| **Language** | Rust (memory-safe) | Go (CGO overhead) |
| **Post-Quantum** | ✅ **ML-KEM-768, ML-DSA-65** | ❌ No roadmap |
| **Crypto backends** | 4 (OpenSSL, **OQS**, AWS-LC, RustCrypto) | 1 (OpenSSL) |
| **Storage backends** | 4 (FS, etcd, SurrealDB, PostgreSQL) | 10+ (etcd, Consul, S3, etc) |
| **Policy engine** | Cedar ABAC (AWS-compatible) | HCL policies |
| **Shamir unsealing** | ✅ Native | ✅ Native |
| **Secrets engines** | 4 (KV, Transit, PKI, Database) | 10+ (includes cloud-specific) |
| **Ecosystem** | ⚠️ Small | ✅ Huge (plugins, integrations) |
| **License** | Apache-2.0 | BSL (Enterprise paywall) |
| **Best For** | **PQC today**, Rust stacks, data sovereignty | General use, mature ecosystem |
**Key differentiator**: SecretumVault is the **only Rust vault with production-ready post-quantum cryptography** (ML-KEM-768, ML-DSA-65 NIST FIPS 203/204), providing cryptographic agility for organizations deploying today.
### SecretumVault vs AWS Secrets Manager
| Aspect | SecretumVault | AWS Secrets Manager |
| -------- | --------------- | --------------------- |
| **Multi-cloud** | ✅ Any cloud or on-premise | ❌ AWS-only |
| **Self-hosted** | ✅ Full control | ❌ SaaS only |
| **Post-Quantum** | ✅ **ML-KEM + ML-DSA** | ❌ None |
| **Crypto backends** | 4 pluggable | 1 (AWS KMS) |
| **Dynamic secrets** | ✅ Database engine | ✅ RDS integration |
| **Vendor lock-in** | ✅ Portable | ⚠️ High (AWS-specific) |
| **Cost** | Self-hosted (infra cost) | $0.40/secret/month + API calls |
| **Best For** | Multi-cloud, **PQC**, data sovereignty | AWS-native apps, managed service |
**Key differentiator**: SecretumVault is multi-cloud and self-hosted with native PQC, vs AWS Secrets Manager cloud-only without post-quantum roadmap.
### Vapora vs Jenkins
| Aspect | Vapora | Jenkins |
| -------- | -------- | --------- |
| **Paradigm** | Agent orchestration (AI) | Pipeline orchestration (CI/CD) |
| **Agents** | LLM-powered (Claude, GPT, Gemini) | Build agents (workers) |
| **Orchestration** | NATS JetStream | Master-worker |
| **Learning** | Expertise profiles, recency bias | No (static) |
| **Budget control** | Per-role limits, fallback | N/A |
| **Pipeline definition** | Tasks + agent roles | Jenkinsfile (Groovy) |
| **UI** | Leptos WASM (Kanban) | Web UI (Java) |
| **Best For** | AI-assisted operations, LLM orchestration | Traditional CI/CD, build automation |
**Key differentiator**: Vapora orchestrates **intelligent LLM agents** with learning and cost control, not traditional build agents.
### Vapora vs GitHub Actions
| Aspect | Vapora | GitHub Actions |
| -------- | -------- | ---------------- |
| **Self-hosted** | ✅ Kubernetes native | ✅ Self-hosted runners |
| **Agents** | LLM-powered with roles | Workflow runners |
| **Orchestration** | NATS JetStream | GitHub infrastructure |
| **Learning** | Expertise profiles | No (static) |
| **Budget control** | LLM cost limits | Minutes-based billing |
| **Multi-tenant** | SurrealDB scopes + Cedar | Repository-level |
| **Best For** | AI operations, agent coordination | GitHub-native CI/CD, simple workflows |
**Key differentiator**: Vapora is an AI agent orchestration platform with learning, not a CI/CD workflow runner.
### TypeDialog (prov-gen) vs Terraform Modules
| Aspect | TypeDialog (prov-gen) | Terraform Modules |
| -------- | ----------------------- | ------------------- |
| **Input method** | TOML forms (CLI/TUI/Web) | Variables (.tfvars) |
| **Validation** | Nickel contracts (pre-runtime) | Variable validation (runtime) |
| **Output format** | Nickel IaC | HCL |
| **Multi-backend** | 6 (CLI/TUI/Web/AI/Agent/Prov-gen) | CLI only |
| **IaC generation** | Tera templates + validation | Module composition |
| **Best For** | Interactive wizards, self-service | Reusable modules, Terraform ecosystem |
**Key differentiator**: TypeDialog unifies input capture (CLI/TUI/Web) with validated IaC generation (Nickel), not just reusable modules.
### Kogral vs Confluence
| Aspect | Kogral | Confluence |
| -------- | -------- | ------------ |
| **Target** | Development/ops teams | General teams |
| **Git-native** | ✅ Markdown + YAML frontmatter | ❌ Cloud/Server |
| **Node types** | 6 specialized (ADR, Pattern, etc) | Generic pages |
| **MCP Server** | ✅ Claude Code native | ❌ No |
| **Semantic search** | fastembed + cloud embeddings | Internal search |
| **Self-hosted** | ✅ Filesystem + SurrealDB | Cloud or Data Center |
| **Best For** | Dev/Ops knowledge, AI integration | General documentation, wikis |
**Key differentiator**: Kogral is specifically designed for technical knowledge (runbooks, ADRs, postmortems) with native AI integration via MCP.
---
## 3. Use Cases and Context (Ops Perspective)
### When to Use Each Project
```
┌─────────────────────────────────────────────────────────────────┐
│ "I need to provision multi-cloud infrastructure with IaC" │
│ → Provisioning (Nickel IaC, multi-cloud, orchestrator) │
├─────────────────────────────────────────────────────────────────┤
│ "I want secrets management with post-quantum preparation" │
│ → SecretumVault (PQC ML-KEM/ML-DSA, 4 crypto backends) │
├─────────────────────────────────────────────────────────────────┤
│ "I need to orchestrate AI agents for operational tasks" │
│ → Vapora (DevOps/Monitor/Security agents, NATS, budget) │
├─────────────────────────────────────────────────────────────────┤
│ "I want configuration wizards that generate IaC" │
│ → TypeDialog (prov-gen backend, CLI/TUI/Web) │
├─────────────────────────────────────────────────────────────────┤
│ "I need to preserve runbooks and incident postmortems" │
│ → Kogral (6 node types, MCP, git-native) │
└─────────────────────────────────────────────────────────────────┘
```
### Decision Matrix by Ops Context
| Context | Main Project | Supporting Projects |
| --------- | -------------- | --------------------- |
| **Multi-cloud provisioning** | Provisioning | TypeDialog (wizards), SecretumVault (certs), Kogral (ADRs) |
| **PQC secrets management** | SecretumVault | Provisioning (infrastructure), Kogral (policies) |
| **Incident response** | Vapora (Monitor/DevOps agents) | Kogral (runbooks/postmortems), SecretumVault (credentials) |
| **CI/CD automation** | Vapora (DevOps agent) | Provisioning (deploy), SecretumVault (secrets), Kogral (guidelines) |
| **Infrastructure self-service** | TypeDialog (prov-gen) | Provisioning (apply IaC), Kogral (docs) |
| **Knowledge preservation** | Kogral | Vapora (execution tracking), TypeDialog (export) |
| **Disaster recovery** | Provisioning (rollback) | SecretumVault (backup), Kogral (procedures) |
---
## 4. Why They Are Necessary (Ops Perspective)
### Problems They Solve
#### Provisioning: The Fragile YAML Problem
```
BEFORE AFTER (Provisioning)
───────────────────────────────── ─────────────────────────────────
Untyped YAML, runtime errors Typed Nickel, compile-time errors
Fragile imperative scripts Declarative workflows with rollback
Terraform state drift SurrealDB with time-series
No AI assistance MCP + RAG (1000x Python)
Manual dependency management Automatic topological sort
```
#### SecretumVault: The Quantum Cryptography Problem
```
BEFORE AFTER (SecretumVault)
───────────────────────────────── ─────────────────────────────────
Vault in Go (no memory-safety) Rust with memory guarantees
Classical crypto only (vulnerable) Post-quantum (ML-KEM, ML-DSA)
Fixed crypto backend Pluggable backends (agility)
SaaS lock-in (AWS, Azure) Complete self-hosted
No quantum threat preparation Deploy PQC today, gradual migration
```
#### Vapora: The Manual Ops Coordination Problem
```
BEFORE AFTER (Vapora)
───────────────────────────────── ─────────────────────────────────
Ad-hoc scripts without coordination NATS JetStream orchestration
LLMs without cost control Budget enforcement + fallback
Agents without historical context Expertise profiles + recency bias
Manual handoffs (deploy → monitor) Automated pipelines with roles
No execution visibility Prometheus metrics + SurrealDB
```
#### TypeDialog (prov-gen): The Manual Configuration Problem
```
BEFORE AFTER (TypeDialog)
───────────────────────────────── ─────────────────────────────────
Error-prone manual configuration Validated forms (Nickel)
CLI ≠ Web ≠ TUI interfaces 1 TOML → 6 backends
No IaC generation prov-gen → multi-cloud Nickel
Runtime validation Pre-runtime validation (contracts)
```
#### Kogral: The Lost Ops Knowledge Problem
```
BEFORE AFTER (Kogral)
───────────────────────────────── ─────────────────────────────────
Scattered Confluence runbooks Git-native, versioned
Unsearchable postmortems Semantic search + MCP
Lost infrastructure ADRs Decision nodes with relationships
Incidents without historical context Execution nodes with timeline
SRE onboarding takes weeks Semantic search in days
```
---
## 5. What Makes Them Different (Ops Perspective)
### Unique Features per Project
#### Provisioning
1. **Nickel IaC**: Only with lazy-eval typed language as primary (not HCL, not YAML)
2. **Hybrid orchestrator**: Rust (performance) + Nushell (flexibility)
3. **MCP 1000x faster**: Rust-native vs Python implementations
4. **39K lines security**: 12 enterprise components (JWT, Cedar, MFA, audit, KMS)
5. **80+ CLI shortcuts**: Optimized developer experience with guided wizards
#### SecretumVault
1. **Native Post-Quantum**: ML-KEM-768, ML-DSA-65 (NIST FIPS 203/204) **production-ready today**
2. **4 crypto backends**: OpenSSL, **OQS**, AWS-LC, RustCrypto (cryptographic agility without code changes)
3. **4 storage backends**: Filesystem, etcd, SurrealDB, PostgreSQL (deployment flexibility)
4. **Shamir Secret Sharing**: Distributed unsealing with configurable threshold (3-of-5, 5-of-7, etc)
5. **Cedar ABAC**: AWS-compatible authorization policies (portable, no vendor lock-in)
#### Vapora
1. **Learning-based selection**: Scoring `0.3*load + 0.5*expertise + 0.2*confidence` with 3x recency bias (last 7 days)
2. **Budget enforcement**: Per-role hard caps (monthly/weekly) with automatic fallback to cheaper providers
3. **NATS JetStream**: At-least-once coordination, message persistence, distributed
4. **12 agent roles**: Architect, Developer, CodeReviewer, Tester, Documenter, Marketer, Presenter, **DevOps**, **Monitor**, **Security**, ProjectManager, DecisionMaker
5. **Native multi-tenant**: SurrealDB scopes + Cedar RBAC, complete isolation
#### TypeDialog
1. **6 unified backends**: CLI/TUI/Web/AI/Agent/**Prov-gen** from same TOML
2. **Prov-gen IaC generation**: AWS/GCP/Azure/Hetzner/UpCloud from typed forms
3. **Nickel contracts**: Pre-runtime validation with type-safe schemas
4. **3,818 tests**: Exhaustive coverage (503% growth), production-ready
5. **Native multi-language**: Fluent bundles for i18n without reimplementing logic
#### Kogral
1. **6 specialized node types**: Note, Decision (ADR), Guideline, Pattern, Journal, **Execution** (for ops/incidents)
2. **Hybrid embeddings**: Local fastembed (privacy) + cloud (production)
3. **Native MCP**: 7 tools for Claude Code, no extra configuration required
4. **Git-native**: Everything versioned markdown, no external SaaS, full control
5. **Guideline inheritance**: Org → Project with priority, cross-team consistency
---
## 6. Synergies and Reuse (Ops Workflows)
### Ops Integration Flow
```
┌──────────────────┐
│ Kogral │
│ (Runbooks, ADRs) │
└────────┬─────────┘
│ Operational knowledge
┌──────────────┐ ┌──────────────────┐ ┌──────────────┐
│ TypeDialog │───▶│ Vapora │───▶│ Provisioning │
│ (Wizards) │ │ (Ops Agents) │ │ (IaC Deploy) │
└──────────────┘ └──────────────────┘ └──────────────┘
│ │ │
│ Configuration │ Orchestration │ Infrastructure
▼ ▼ ▼
┌─────────────────────────────────────────────────────────────┐
│ SECRETUMVAULT │
│ PKI certs │ Dynamic DB creds │ API keys │ Encryption │
└─────────────────────────────────────────────────────────────┘
```
### Reusable Components (Ops Stack)
| Component | Origin | Reused In |
| ----------- | -------- | ----------- |
| **SurrealDB schemas** | Vapora | Kogral, Provisioning, SecretumVault (optional) |
| **Nickel contracts** | Provisioning | TypeDialog (prov-gen validation) |
| **Cedar policies** | Provisioning | SecretumVault, Vapora (multi-tenant) |
| **Axum API patterns** | Vapora | Provisioning (control-center), SecretumVault (vault API) |
| **tracing setup** | Vapora | All (structured logging) |
| **Crypto backends** | SecretumVault | Provisioning (KMS integration) |
| **NATS patterns** | Vapora | Provisioning (future messaging), SecretumVault (HA) |
### Synergy Scenarios (Ops Workflows)
#### Scenario 1: Zero-Touch Provisioning with AI
```
1. TypeDialog (prov-gen): SRE completes web wizard
- Cloud provider, region, cluster size, services
- Generates Nickel IaC validated with contracts
2. Kogral: MCP provides deployment guidelines
- "What is our cluster naming policy?"
- "What security groups do we apply by default?"
3. Provisioning: Orchestrator deploys infrastructure
- Servers → networking → storage → services
- Checkpoints per step, automatic rollback if fails
4. SecretumVault: Generates certificates and secrets
- PKI engine: etcd, kube-apiserver, kubelet certs (ML-DSA-65 PQC)
- Database engine: PostgreSQL dynamic credentials (TTL 1h)
5. Vapora: Post-deployment automation
- Monitor Agent: Setup Prometheus alerts, health checks
- Security Agent: Vulnerability scan, compliance check
- DevOps Agent: Deploy baseline apps (Ingress, cert-manager)
6. Kogral: Documents deployment
- Execution node with timestamp, created resources, configuration
- Links to architecture ADRs, maintenance runbooks
```
#### Scenario 2: Automated Incident Response
```
1. Vapora Monitor Agent: Detects anomaly (PostgreSQL down)
- Alert via NATS JetStream
- Trigger incident response pipeline
2. Kogral: Claude Code queries runbooks via MCP
- search("postgresql outage troubleshooting")
- Returns 3 similar postmortems with resolutions
3. Vapora DevOps Agent: Executes automated runbook
- Verify PostgreSQL process (systemctl status)
- Check logs (/var/log/postgresql)
- Restart if needed with adjusted parameters
4. SecretumVault: Rotates compromised credentials
- Database engine generates new dynamic credentials
- Updates connected apps via secret injection
5. Vapora Security Agent: Post-incident audit
- Review access logs, configuration changes
- Generate compliance report
6. Kogral: Documents postmortem
- Execution node with root cause, timeline, resolution
- Links to PostgreSQL configuration ADRs
- Action items to prevent recurrence
```
#### Scenario 3: Gradual Post-Quantum Migration
```
1. Kogral: Documents strategic decision
- ADR: "Gradual migration to post-quantum cryptography"
- Rationale: Preparation for quantum threats (harvest now, decrypt later)
- Timeline: Q1 2026 testing, Q2 2026 staging, Q3 2026 production
2. SecretumVault: Migrates secrets in staging
- Backend switch: openssl → oqs (ML-KEM-768)
- Re-encrypts existing secrets with PQC
- Dual-stack: classical for legacy, PQC for new services
3. Provisioning: Updates PKI infrastructure
- Generates new certificates with ML-DSA-65 (PQC signatures)
- Deploys certificates to services (etcd, K8s API, service mesh)
- Health checks: latency not degraded, handshakes correct
4. Vapora: Orchestrates comprehensive validation
- Security Agent: Verifies correct cryptographic algorithms
- Monitor Agent: Benchmark latency (PQC vs classical)
- DevOps Agent: Integration tests with PQC certificates
5. TypeDialog: Self-service portal for teams
- Form: "Migrate service to PQC"
- Input: service name, migration strategy (gradual/immediate)
- prov-gen: Generates updated configuration (Nickel)
6. Kogral: Migration tracking
- Execution nodes per migrated service
- Metrics: services migrated, performance impact, issues
- Lessons learned: what worked, what to improve
```
#### Scenario 4: Multi-Cloud Disaster Recovery
```
1. Kogral: Disaster recovery runbook
- Procedure: "Failover from AWS to UpCloud in <1h"
- Prerequisites, detailed steps, validation
2. Vapora: Automatic trigger (AWS region down)
- Monitor Agent detects regional outage
- ProjectManager Agent declares disaster recovery mode
- DevOps Agent executes Kogral runbook
3. Provisioning: Deploys replica on UpCloud
- Multi-cloud Nickel IaC (change: provider = "upcloud")
- Orchestrator deploys: servers → networking → K8s → apps
- Checkpoints: rollback to AWS if UpCloud also fails
4. SecretumVault: Synchronizes secrets
- Cross-region etcd replication (AWS → UpCloud)
- PKI engine generates certificates for UpCloud region
- Database engine: new DB dynamic credentials
5. TypeDialog: DNS failover wizard
- Form: Update DNS records (Route53 → NS1)
- Validation: TTL check, propagation time
6. Kogral: Documents incident
- Execution node: timeline, decisions, metrics
- RTO achieved, RPO achieved, issues encountered
- Postmortem: what to improve in runbook
```
---
## 7. Dependencies and Adoption Order (Ops Teams)
### Dependency Graph
```
SecretumVault (standalone)
│ provides secrets to
Kogral ◄────────────────────────► Provisioning
(standalone) (can integrate vault)
│ │
│ provides runbooks to │ deploys infrastructure for
▼ ▼
Vapora
(integrates all)
│ uses wizards from
TypeDialog
(prov-gen → Provisioning)
```
### Recommended Adoption Order (Ops Perspective)
| Phase | Project | Reason | Dependencies |
| ------- | --------- | -------- | -------------- |
| 1 | **SecretumVault** | Critical secrets management, no dependencies | None (standalone) |
| 2 | **Kogral** | Operational knowledge base (runbooks, ADRs) | None (standalone) |
| 3 | **Provisioning** | Declarative IaC, can integrate SecretumVault (optional) | Optional: SecretumVault (KMS) |
| 4 | **TypeDialog** | Configuration wizards, prov-gen for Provisioning | Optional: Provisioning (IaC apply) |
| 5 | **Vapora** | Agent orchestration, integrates all previous | Kogral (runbooks), SecretumVault (creds), Provisioning (deploy) |
**Note**: Each project is functional independently, but synergies emerge with progressive adoption.
---
## 8. Ecosystem Comparison
### STRATUMIOPS Ops vs HashiCorp Stack
| Component | STRATUMIOPS | HashiCorp |
| ----------- | --------- | ----------- |
| **IaC** | Provisioning (typed Nickel) | Terraform (untyped HCL) |
| **Secrets** | SecretumVault (Rust, **PQC**) | Vault (Go, no PQC) |
| **Orchestration** | Vapora (LLM agents) | Nomad (workload scheduler) |
| **Service Mesh** | Integrates Istio | Consul Connect |
| **Policy** | Cedar (AWS-compatible) | Sentinel (HCL) |
| **Language** | Rust (memory-safe) | Go (garbage collector) |
| **AI-assisted** | MCP + RAG native | Terraform Cloud AI (limited) |
| **License** | Apache-2.0 | BSL (Enterprise paywall) |
| **Ecosystem** | ⚠️ Small | ✅ Huge |
### STRATUMIOPS Ops vs AWS Native Stack
| Component | STRATUMIOPS | AWS Native |
| ----------- | --------- | ------------ |
| **IaC** | Provisioning (multi-cloud) | CloudFormation (AWS-only) |
| **Secrets** | SecretumVault (**PQC**, self-hosted) | Secrets Manager (SaaS, no PQC) |
| **Orchestration** | Vapora (self-hosted K8s) | Step Functions (SaaS) |
| **CI/CD** | Vapora DevOps Agent | CodePipeline + CodeBuild |
| **Storage** | SurrealDB multi-model | DynamoDB + RDS |
| **Policy** | Cedar (portable) | IAM (AWS-specific) |
| **Multi-cloud** | ✅ AWS/UpCloud/Local | ❌ AWS-only |
| **Vendor lock-in** | ✅ Portable | ⚠️ High |
| **Cost** | Self-hosted (infra cost) | SaaS (per-use billing) |
---
## 9. Portfolio Metrics (Ops Perspective)
| Metric | Provisioning | SecretumVault | Vapora | TypeDialog | Kogral | **Total** |
| -------- | -------------- | --------------- | -------- | ------------ | -------- | ----------- |
| **Lines of Code** | ~40K | ~11K | ~50K | ~90K | ~15K | **~206K** |
| **Tests** | 218 | 50+ | 218 | 3,818 | 56 | **4,360+** |
| **CLI Commands** | 80+ shortcuts | 10+ (svault) | 10+ (vapora) | 6 backends | 13 commands | **100+** |
| **Storage Backends** | SurrealDB | 4 (FS/etcd/SurrealDB/PostgreSQL) | SurrealDB + NATS | Multi-format | FS + SurrealDB | **4 backends** |
| **API Endpoints** | 40+ (control-center) | 20+ (vault API) | 40+ (backend) | 10+ (web) | N/A (MCP) | **100+** |
| **Policy Engine** | Cedar RBAC/ABAC | Cedar ABAC | Cedar multi-tenant | N/A | N/A | **Cedar AWS-compatible** |
| **Crypto Backends** | 5 KMS | **4 (OpenSSL, OQS PQC, AWS-LC, RustCrypto)** | N/A | N/A | N/A | **4 backends** |
| **Multi-cloud** | AWS/UpCloud/Local | N/A | N/A | Yes (prov-gen) | N/A | **3 clouds** |
---
## 10. Conclusion (Ops/DevOps Teams)
This portfolio represents a cohesive ecosystem for modern operations:
- **Provisioning** is the muscle: deploys multi-cloud infrastructure with typed IaC and automatic rollback
- **SecretumVault** is the vault: protects secrets with production-ready post-quantum cryptography
- **Vapora** is the brain: orchestrates Ops agents (DevOps, Monitor, Security) with learning and cost control
- **TypeDialog** is the interface: configuration wizards that generate validated multi-cloud IaC
- **Kogral** is the memory: preserves runbooks, postmortems and operational knowledge
The **key differentiation** versus alternatives (Ops perspective):
1. **Full Rust stack**: Performance (10-50x Python), memory-safety, zero-cost abstractions
2. **Typed Nickel IaC**: Configuration errors detected at compile time, not at runtime
3. **Post-Quantum ready**: SecretumVault with native ML-KEM-768/ML-DSA-65, deploy today
4. **AI-native from design**: MCP + RAG integrated, not retrofitted
5. **Unified multi-cloud**: One Nickel configuration for AWS/UpCloud/Local
6. **Enterprise security**: Cedar policies, audit logging, RBAC/ABAC, 7 years retention
The **synergy** between projects enables addressing operations with:
- Typed and validated infrastructure (Provisioning)
- Secrets with cryptographic agility (SecretumVault)
- Intelligent Ops agent orchestration (Vapora)
- Configuration wizards (TypeDialog)
- Preserved operational knowledge (Kogral)
**Best for**: DevOps/SRE teams valuing type-safety, performance, PQC readiness, multi-cloud, and self-hosted infrastructure over mature ecosystems with vendor lock-in.
---
*Document generated: 2026-01-22*
*Type: info (Ops/DevOps positioning)*
Reference in New Issue View Git Blame Copy Permalink