Issue #026 - Timoni, Dolt, OpenBao, and the account that should never log in
CUE-typed Kubernetes packages, Prolly Trees, the MPL fork of Vault, zero-usage emergency accounts
The last thirteen issues each went deep on one thing. This week I'm breaking that on purpose. Four tools crossed my desk this month that don't need three thousand words each - but every one of them changed how I think about a piece of my stack, and none of them would leave my head.
So, old-school grab bag: a package manager that finally makes Kubernetes configs type-checked, a MySQL you can branch like a repo, a fork that outlived the drama that created it, and an account whose entire job is to never log in.
🚀 Sandbox Watch: Timoni
What it is
A package manager for Kubernetes from Stefan Prodan - the Flux guy - that throws out Helm's Go-templates-in-YAML and replaces them with CUE, an actual configuration language with types.
If you've ever debugged a chart where {{ indent 4 }} was off by two spaces, you already know why this exists.
How it works
A Timoni module is CUE code: schema and values get unified, and if a value doesn't match the schema, the build fails on your laptop - not halfway through a deploy. Constraints live in the type itself. port: int & >1024 & <65535 isn't a comment or a JSON schema in a separate file somebody forgot to update; it's the definition of the field.
Modules ship as OCI artifacts, so they sit in the same registry as your images, signed and versioned. Bundles describe whole stacks - which modules, what order, which clusters. And timoni build prints exactly what will hit the API server, which is more than I can say for some dry-runs I've trusted.
Why I like it
Garbage collection is built in: remove a resource from the config and Timoni deletes it from the cluster instead of leaving it orphaned. The diff output has syntax highlighting. Small things, but they're the things you touch daily.
When to use it
Honest caveat first: v0.27.0 shipped on July 2nd and the project is alive, but the README still warns that APIs may break before 1.0, and the module ecosystem is a rounding error next to Helm's charts. I wouldn't migrate a company on it. For an internal platform where you write every module yourself? That's exactly where I'd start.
Links
💎 The Hidden Gem: Dolt
What it is
A MySQL-compatible database where tables have Git semantics. dolt commit, dolt branch, dolt merge - on rows, not files. Any MySQL client connects to it and has no idea anything unusual is underneath.
How it works
The trick is a structure called Prolly Trees - a cross between the B-trees databases use and the Merkle trees Git uses. Diffing two versions of a huge table doesn't scan the data; it compares subtree hashes and descends only where they differ. History is stored with structural sharing, so a new version keeps only what changed.
Merge conflicts get resolved at the cell level. Two analysts edit the same row in different branches, and Dolt shows you both values and asks.
Why I like it
The reproducible-ML story sold me. Pin the commit hash of your training data next to the commit hash of your model code, and "what exactly did this model learn from" stops being archaeology. Same shape works for config databases: changes go through a pull request on data, with a reviewable diff of rows.
When to use it
Writes run 2-4x slower than stock MySQL - Merkle hashing isn't free - so this is not your hot OLTP path. Reference data, feature stores, config, the datasets your agents keep rewriting: that's the sweet spot, and v2.1.10 landed in late June, so the project is moving fast.
Links
⚔️ The Showdown: OpenBao vs Vault
The story so far
In August 2023 HashiCorp moved Vault from MPL to BUSL - source available, but no competing products allowed. The community forked Vault 1.14 into OpenBao under the Linux Foundation, IBM loudly backing it. You know this part.
Here's the part that still makes me grin: in February 2025, IBM bought HashiCorp for $6.4 billion. The company that bankrolled the open fork now owns the thing it forked from. Nobody has blinked - as of this summer the BUSL stands, and OpenBao keeps shipping under MPL 2.0 with the OpenSSF holding the keys.
Where they actually diverge
Three years in, this is no longer a rebadged Vault. OpenBao hit v2.5.5 in June and its working groups are building namespaces - a feature Vault locks behind Enterprise - in the open. The flip side cuts just as hard: OpenBao legally can't copy a single line of post-fork Vault code. Every new Vault feature needs a clean-room reimplementation, and that gap compounds every quarter.
I covered which secrets tool fits which threat model two issues ago - issue #025 - and everything there applies to both, because the API surface is still compatible. This one's not about threat models. It's about who you trust to still be licensing you the thing in five years.
My read
Internal use, want vendor support: Vault is fine, BUSL permits you. Building a platform where secrets management is part of the product: Vault is a legal risk you don't need. Betting on Enterprise features arriving free: that's OpenBao's whole reason to exist. Watch whether IBM keeps funding both sides - that's the tell.
Links
👮 The Policy: break-glass access
Why this matters
There's a paradox buried in every mature IAM setup: the stronger your SSO, MFA and conditional access get, the more total the lockout when the identity provider goes down. Your admins can't log in to fix the outage because the outage is the thing that checks logins.
Break-glass accounts are the answer, and most orgs either don't have them or have them configured in a way that fails exactly when needed.
The rules that matter
Two or more accounts, cloud-only - never synced from on-prem AD, because a dead domain controller must not take your cloud access with it. Explicitly excluded from every conditional access policy. Authentication on hardware FIDO2 keys stored in physical safes, and deliberately a different method than your daily admin accounts use - if Authenticator push is broken for everyone, it's broken for you too.
Then the rule that turns this from a backdoor into a control: zero usage. In normal operation, login count for these accounts is exactly zero, and any successful sign-in fires a critical alert to the whole security team. Not an email. A page.
Microsoft's guidance on this got refreshed just last month - emergency accounts must be passwordless now - and it includes ready-made alert queries. Steal them. And run a fire drill every 90 days: open the safe, log in, verify the alert actually fired. An untested break-glass account is a password in an envelope and a prayer.
Links
That's the mix. If one of these four earns a full deep-dive later this year, it'll probably be Timoni - unless the IBM subplot delivers first.
Questions? Feedback? Reply to this email. I actually read them.
- Ilia

