Brandon (00:01.508) All right, hello. Welcome to this episode of Software Defined Talk. Well, I want to welcome in our guests this week. We have Phil and Theo from Varlock. Welcome to the show, gentlemen. Theo (00:10.843) Howdy. Phil M. (00:10.904) Thanks for having us. Brandon (00:12.708) All right, well, I have been a long time, I shouldn't say a long time. I'm a recent fan of Varlock. I love it. I've been using it a ton. and we're gonna dive into what it is and why I think everyone listening to this probably has a place for Varloc in their tech stack. but before we start here, you know, the reason I even know about Varloc is listener JD from the Slack. And he says that quote, Varlock has the best web design he's seen in a long time. And so for the people who haven't seen it, Varlock is not your typical corporate site. So I wanted to, and I I think it's awesome. So I started to like, I was like, maybe I should describe it, but maybe I'll start, you know, with Phil and then you can chime in. It's like where what inspired the the varlock website? And maybe for everyone that hasn't seen it, how would you describe it? Theo (00:42.456) Thank Phil M. (01:07.156) I mean it it's definitely got that sort of nineties RPG aesthetic, let's say, with a little bit of yeah. Yeah, you know, like metal bands and Dungeons and Dragons, that kind of thing. all those classic Metroidvania games from back in the day. Brandon (01:14.392) Like a little doom, like a little kind of like is that kind of what where it came from? Brandon (01:27.94) All well, I'm glad you said because I know you're a musician. I'm glad you said 'cause it does have like a metal kind of flavor. But I like, I don't know if that people like sometimes people don't want to be associated with that. So I'm glad you volunteered with it. So it's fantastic. So when you're building the website, I know if you're like, did you guys like do like quote unquote like maybe like a regular website and then you're just like, We're just gonna lean into the motif. Like where who made the call here? Theo (01:28.604) showing my shirt. Phil M. (01:48.962) I mean it I think it kinda came out of the name, right? Like Varlock is obviously like inspired by Warlock. So we we really kinda leaned into that RPG aesthetic. I don't know. What do you think, Theo? Theo (01:51.835) Mm-hmm. Brandon (01:55.204) Mm-hmm. Theo (01:58.96) Yeah, mean, knowing that our audience is nerdy developers, we figured that they would probably be into it. We did have a previous product before, the name of the company is called Domino, D-M-N-O, and the previous product was called Domino, D-M-N-O dot D-E-V. And I actually was pretty proud of that branding and everything as well, but it felt a bit... I don't know, it didn't really stand out. so when we were, when we sort of went through this rebrand and changed things around, the name obviously just was pretty sweet. And we were like, let's just lean into it. Let's go full, let's make it look like a video game. And yeah, we both just felt like kind of a dark, evil warlock was the vibe. Phil M. (02:45.73) And yeah, and we even used game assets and s for some of it. Like we bought game assets and used them. Brandon (02:49.227) Yeah. Yeah, well I I I believe I I think you could have paid like a creative studio like millions of dollars and they would have not gotten this correct. So I mean sometimes I don't know, sometimes you gotta do it yourself. So I mean I don't know. Did you guys have it? Maybe I sh maybe I shouldn't say that you like someone on the outside helping you with the design, or is this a hundred percent your own doing? Phil M. (03:07.019) L S. Yeah. Theo (03:08.077) No, it's just us. mean, I've been doing this stuff a long time, always doing design, development, everything. So I've done quite a few, you know, branding and things over the years. This is definitely what I'm most proud of. Brandon (03:13.697) Yes, you're happy to jump in there, make it happen. Brandon (03:20.887) Yeah. Well this one this is great. This one's definitely top of your portfolio, I think. So fantastic. All right. Well, here, let's we always want to get to know everyone a little bit before we kind of jump into the details. So Theo, maybe start for you. Maybe just a little bit like who are you? How did you find yourself in in tech and how'd you find yourself building Barlock? Phil M. (03:25.08) Yeah. Theo (03:36.508) Sure, So yeah, I'm Theo. I live outside of Vancouver on a place called Sunshine Coast, 40 minute ferry ride from town. And yeah, I've been coding since I was a kid, building websites. When I was in high school, I was building websites for small businesses, nonprofits. We built a whole custom CMS. I built an ORM before I knew what an ORM was. It was pretty good, honestly. I eventually switched over to doing WordPress sites as WordPress became sort of more popular and battle tested and just kept building stuff all through university. Never went to class. I went to school for computer science, was working the whole time. And yeah, after school, graduated and met these guys that were starting a startup accelerator in the same building as me. And they were like, we want to give you money to start a company. We'll figure out what it is later. I was like, sure. Brandon (04:34.723) Great. Fantastic. Theo (04:36.381) So started a startup, yeah, that's a very different thing, long time ago, although also video gamey. And yeah, just ended up working for a bunch of different startups, kind of going through that zero to one motion a bunch of times. And... Yeah, some notable ones are, well, Phil and I met working at Breather, which was some folks might remember, kind of meeting rooms on demand. And then I worked at Clearco, revenue-based financing. And then more recently, Clay.com, is going very, they're becoming very popular. They're sort of the go-to-market tool of the era right now. And after that system initiative, which was by Adam Jacob who's the creator of Chef. So also in the sort of DevOps, DevTool, deployment automation space. And yeah, we can talk later if we want about how sort of those clay and system initiative fed into what we're doing. But yeah, why don't I hand it off for now. Phil M. (05:43.18) Yeah, I mean similar story for me, you know, coding since I was eight or nine years old, doing websites in high school for money for small businesses. and then not attending class as a computer engineering and management student and doing computer engineering and web dev for the university while I was there. and then kind of cut my teeth in this tr Toronto startup scene. So achievers. Theo (05:56.987) You Phil M. (06:11.187) then went corporate for a bit at Indigo, which is kind of like the Barnes and Noble of Canada for you international folks. then Theo and I met at Breather. and I went to DigitalOcean and sort of formalized front end development there. yeah, did lots of great stuff there. and then took a break from management, went back to IC World and was an early hire at daily.co, doing kind of like a web RTC dev tool. Brandon (06:24.483) Okay, nice. Phil M. (06:39.201) Which exploded during COVID. So lots of interesting video stuff, lots of really cool kind of scaling problems. and then took a break from there, ran in the woods for a year, went on tour, and then Theo came knocking and here we are. Brandon (06:55.891) All Well, maybe at the end we'll you can recommend some music you got coming up there. So we'll we'll tease that. Well everything's gotta stay at the end to get some new music recommendations from you. So well that's fantastic. You know, obviously Adam Jacob, founder of Chef System Initiative and you know frequent guest, at least a multi time guest here on Software Defined Talk, and then all the listeners probably know, you know, Matt Ray was a longtime chef employee. So it's like I don't know, maybe Adam Jacob is the next us. Like we all just, you know, he's always like doing something crazy and I think he's probably building something crazy now. So fantastic. Phil M. (07:01.533) Hmm. Phil M. (07:19.469) Yeah. Theo (07:19.515) Mm-hmm. Phil M. (07:24.085) Swamp Doc Club. Brandon (07:26.123) well let's let's start with here. and you know, whoever wants to take it, maybe just for everybody that hasn't seen Varlock and has maybe never touched it, how do you describe the product? Theo (07:38.918) You want to take a film? Okay, so, you know. Phil M. (07:40.151) Go for it. Theo (07:43.994) Take your typical .env.example file that you have, and there's a lot of problems with it. It gets out of sync quite easily. Documentation is spread all through your code base. Some is there. Some is in the code. There is no built-in validation. You want to load environment variables from other sources. You're basically stringing a bunch of tools altogether. So at the core, we wanted to build the ultimate configuration and secrets toolkit that would work in all cases and so you don't have to rebuild this stuff from scratch every time. And so you can imagine how it works is you take that dot env dot example, rename it to dot env dot schema, and then we use decorator style comments to add additional schema information like at required at sensitive docs, types with validation, a whole bunch of kinds of helpers. And then we also introduce a function call syntax so that you can, you know, if Some people may have used the one password OP inject where you sort of replace values with references. So we sort of make that more generalizable. So there's plugins that introduce functions and then you can have an actual OP function that fetches from one password or an AWS, know, SSM function that fetches from there. There's, think we have 16 different plugins now. You can also use the plugins to sort of compose values together in interesting ways. It automatically loads, you multiple files, .env.development, .env.production, et cetera. Built-in encryption with secure enclave. nothing is in plain text ever. Scan your finger to unlock it. Yeah, and then drop in integration. So there's integrations for Vite, Next, Astro, a whole bunch of different things. So it's really like end to end. How do I manage this stuff? How do I inject it into my code? Because we know what is sensitive, we can do things like inject code that will redact that sensitive value from your logs or stop you from leaking it in an outgoing server response. basically, all this interesting stuff happens when you have this really tight schema and you understand the shape of this data. Brandon (10:02.902) And so I think that's like the interesting and maybe simple but but in this in the same sense, you know, unique or innovative observation is sort of like I think of it as simple as this. It's sort of like you're bringing structure to the chaos that is environment variables. And I don't I don't really know other than people just sort of like putting them in readmes, creating an example. from what I can tell, you know, and you know. you know, obviously listeners can jump in there and tell me wrong. It's sort of like everyone just kind of rolls their own, right? There's sort of like you go to a company, you get on a project, you probably, you know, get the get, you know, you know, on your computer, get the project going. And then you kinda have to figure out like what do I need to do to make it work? And then there's usually this other side where it's like, Well, how's it going to be done in production? And sometimes they're the same and sometimes they're different. And I th I don't know, I just think the observation that you Theo (10:33.915) Mm-hmm. Theo (10:51.821) Mm-hmm. Mm-hmm. Brandon (10:58.25) you gu guys had. And this is sort of like I'd be interested to kind of hear the story a little bit about how you got to it. It's like, you know, you kind of came up to you mentioned it. And we'll get in more into like the spec side of it. But it's sort of like it feels like this is kind of the the thing. You're like, we need to bring some order to this chaos and we're going to have a nice specification that is extremely powerful. But at the same time, the first time you see it, it's pretty simple. Like if you start with like a very basic example. and so like what was, you know, I mean and maybe I feel give it to you. It's sort of like Or or whoever kind of decided, like, what was the kind of the aha? It's like we need to bring structure to this chaos world because there's probably a million things you guys could have built, but this this one you focused in on, why? Phil M. (11:39.862) Yeah, I mean, I think like the industry in general kind of talks about shifting left. And our our sort of light bulb moment was what if we started left? Like these are developer tools, so they should be written for developers from the start and not like, you know, most of these secrets tools, for example, are just like here's an SDK, have fun. or, you know, some narrow piece of this tool of this pipeline, you know, like validation. Here's 15 different libraries, figure out how to integrate it. But the real solution is when you actually do it end-to-end. So I I think that was kind of the light bulb moment, right? Like how do we load it, validate it, and then use it in the applications? And still, I think Theo can correct me here, I've yet to see anyone do the application part of it. Theo (12:29.551) Yeah, absolutely. I mean, there's a lot of tools in this space. I don't think anyone is handling it sort of as end to end as we are or as flexibly as we are. But yeah, maybe what would help is like a little bit of backstory about how we got here, which is that I was working at System Initiative with Adam and building this crazy deployment stuff. the sort of secret sauce there was everything is this reactive graph of data. So you change one thing and it flows through this graph. And... My sort of realization while I was working there, you know, and building this tool like for DevOps teams and like DevOps professionals, it's like, I want to build a similar tool. But for me, as the sort of like full stack engineer who, you know, does DevOps stuff, but I'm not a DevOps guy. I'm not working in a DevOps team. And what that looks like is like, we need this reactive graph of data. And that reactive graph of data starts with environment variables, because often, you know, if you're writing some Terraform, like half of the boilerplate is just wiring the fucking environment variable, sorry, excuse me, wiring an environment variable through from like, from here to here and renaming it five times. And it's like so much extra work just to kind of pipe these things through. If we understand the environment variables that your application needs, we can do a lot of that plumbing kind of for you. And if we understand like often the way that these different services are linked together are through environment variables, right? You have an API that lets you point at another service and an API key that lets lets you talk to it. And so we thought if we sort of build this whole reactive graph of data for your application, starting with environment variables, we can wire it all the way through to deployment. Like if we understand that the website needs an API URL, then well, we know we need to deploy the API first, right? And then feed that in. So that was sort of where we started. And we built some really cool stuff, this big reactive graph. The schema was all in TypeScript. Theo (14:33.211) And it worked really well, but it felt heavy. And so with Varloc, we said, you know, how can we simplify this? we, you know, the realization there was why don't we meet people where they are, right? They're already using .en files. It feels familiar. If we can move this stuff into where they already are now, it'll immediately click, right? You look at the thing, you see the decorator, it just, it makes sense. And in the process, we also sort of... peeled back the big vision to not worry about deployments because we realized that even just this environment variable and configuration layer is extremely important. Brandon (15:12.107) Yeah, and I think this is the part as I was kind of like kind of going through the history of my on my own here that I think is both unique but like super insightful is it's sort of like, you you you've kind of built out. I mean, this was domino, right? This is the the TypeScript and and very powerful. But then it's almost like I mean my read on it was almost like, this is getting a little too complicated and it's not exactly where we want people to be. And you are willing to basically, I don't know if you guys think of it, but essentially start over. Like you said, like I'm gonna move back in the process. And do that. So I don't know, was that like a a long discussion, Phil? Was or was that just like how how did you 'cause that's pretty hard, right? Like you get to something that 'cause it has some of its own success, right? It's like it it doesn't do. It's just you clearly made it a call there. So walk me through the mindset there. Phil M. (15:56.479) Yeah, I mean, I think we saw the people who understood it, you didn't have to explain it, right? The people who had the like domino is called domino because it was for monorepos, like do mono, you know, kinda it's a bit of a backronym there. But so anyone who had this sort of big complicated monorepo immediately got it. They were stoked. but for let's say like everyone else, where they hadn't quite reached that level of complexity. Brandon (16:08.166) okay. I get it now. All right. Phil M. (16:25.804) They're like, well, why am I gonna spend two hours writing a bunch of TypeScript when I are like, I just want you to load these environment files that I have already? So I mean that was the big impetus for us, I think. Like, like Theo said, just meeting them where they are and taking that, you know, time let's like at a previous company I would call this time to developer value, right? So with Domino, the time to developer value is probably 20 minutes. Maybe Maybe a little bit less, maybe a little bit more, depending on the complexity. With varlock, it's probably it could be thirty seconds. It could be a minute, right? You run varlock and it, you're pretty much good to go. Brandon (17:06.945) Yeah, no, I think that that's that is that's a really good observation because I think it is like how quickly people can have that wow moment and how quickly they can, if you will, have success. And then and because I've I've lived through this. It's sort of like you start with like the 30 seconds and then you're like, I can do more, it can do more, it can make my life easier. So so maybe let's let's kind of give people a flavor of it. So I don't know, I've never done this and I think it's it's pretty cool that you guys did. So you basically came up with an entire spec, right? That at ENV Dash spec and go out to the website and it's got like all the official, you know, beautifully documented specif specification stuff. So I I guess and it feels like like a little bit inspired. I don't know if it, you know, if that's like a chef inspiration or like a terraform inspiration, or like does it is any of that where you you kind of got some inspiration from or is this sort of just something that you guys kind of came up on your own? Like w how did that that part kind of figure it out? Like we need a spec before we do anything else. Theo (18:01.219) I mean, I think it was just we knew that we needed our own, like we wanted to meet people where they are. and sort of on that note, like with Domino, we, we had always thought like, we could do like a simpler YAML version, you know, that has limitations or whatever. And it was always like, It's not worth giving up the full flexibility of a language just for another thing that somebody has to learn. It just felt like that's not actually going to be better. But when we have the realization, if we put it in a .env file, that... becomes worth it, right? The simplification for the trade-off of like, they already get it and they already know it to a degree. So the constraints there are, well, it has to look and feel like a .env file. The extra schema information we add shouldn't break an existing .env parser. So naturally everything's gotta be in comments. what are you going to do? Like, decorators just seemed like the natural kind of thing. It felt familiar. So it kind of all just fell out pretty naturally. There's a lot of weird edge cases we had to think through, but the sort of basics, I think, just came right away. I will also call out one other sort of similarity to another tool, which is... something called Qlang. And it's a sort of configuration language. I mean, I don't even think I really knew about Qlang when we we built this. But the insight there that that makes this interesting is that you're both setting values and schema at the same time. A lot of other similar kind of tools in this space. It's like, here's my dot n file with the know, with the values. And then here's my schema file in JSON or in Tomal or whatever. And it's like this old Theo (19:48.686) they're split. But you know, as soon as you have what is the default value, it's like well is that a value or is it going in the schema? You know, if I want to alter something for production or development, like okay, like if I want to alter the schema that way too, like you quickly get into this weird situation. So by bringing those two things together, it seems simple at first, but I think that's a huge unlock. Phil M. (20:11.412) And I think like the starting with a spec, like we wanted this to be open, like we wanted this to be adoptable by anyone else. you know, the I think there's value even if you just look at it as purely documentation. Like you could imagine that, you know, Theo was talking about dot dot example at the start. If you have a dot dot schema file just with the the comments in it, it adds value even if you don't run varlock, right? Because you can reason about what's in there. Brandon (20:40.724) No, I think that is ex like I said, I think at the beginning of this is like you're bringing structure to this world of chaos, right? Like it just ev even if you just use the comments to be like, this is what this means and even simple things like this is sensitive, this is you know, or not, right? I mean it's back to your 30 seconds of value. You're just getting value if you just did that. Now of course you're gonna get a lot more value if you actually use it at runtime. So let's walk through because not everyone's done it. I'm I'm sure there's some people haven't, but like right now there's a bunch of people that have just environment variables on their Machine. So make it simple. Maybe they just have a few API keys. Maybe they just vibe coded something like I do. Maybe they need to like put it in Cloudflare or something like that. So maybe we'll start with UTO. It's sort of like, okay, I've got a bunch of environment variables. I'm going to download and install varlock run, you brew install, whatever, however you want to do it. How do they get started and what's going to happen behind the scenes? Like take us through maybe a really simple example of like that schema file that I'm going to create. Theo (21:36.922) Yeah, sure. So you can imagine, you yeah, you can install it via Homebrew or you could install it if you're doing a JavaScripty project, you just install it as a project dependency. You don't even have to do that right away. You could do NPX or Bunnex or whatever, varloc init. That's going to scan your repo for existing .env files and for references to process env and all the other languages, sort of environment references in your code. It's going to scaffold out your .env schema for you. So it should usually do a pretty good job. It'll have all the keys there. If it came from a committed end file, it'll just have the value right there. If it doesn't, that value will stay in .env.local. It will infer the types based on the name and the value. So it'll pick out, this is URL. This is a Boolean, things like that. It will ask you to review it. It'll give you some pointers. Yeah, it'll also guess at which ones are sensitive, again, based on the key name, something like token or secret or whatever. So that'll usually do a pretty good job. You review it, you make sure that, you know, maybe that API key is actually public, so it's not sensitive, things like that. And then you can... how you actually sort of inject with varloc depends a little bit on your situation. Say you're using .env, know, npm package already, you can, there's like an easy way to just swap it. If you're using a bunch of different frameworks, VEAT or Next or things like that, you can just sort of install our drop-in integrations. It all just works magically. And if you're just running scripts or, you know, this, you know, this is, it's not a JavaScript project, you can use varloc run. So varloc run dash dash, and then your script. that load all the .env files, loads it into this big graph and understands the whole thing, then it goes and resolves it. And so it resolves the values, then runs the validation. If something fails, it'll give you a really nice formatted thing. It'll say, hey, this failed, and here's why. Not some weird runtime crash later. This thing was malformed, or this thing was required, whatever. And if it succeeds, it will inject those environment variables into the process that then runs. Theo (23:52.676) Yeah, mean, there's a whole lot more around, it'll redact the logs once it's running in there, you know. Brandon (23:58.421) Well, let's kind of keep going because I think you so so I run a knit, I get my my file, right? And then you said there, right first like it'll declare some of the stuff secret. Then I think on a step two, you know, maybe for someone that's sort of like sloppy like myself, right? Was like, well, wait a minute. I have all of these values kind of in the file. So the first thing I need to do is like move these out, right? Put these secret values. And those and so I don't know how everyone does it. So I sort of at first thing you do is like, okay, well, I'm gonna put the secret values in this other dot env file. Theo (24:18.363) Mm-hmm. Brandon (24:27.53) Then I'm gonna clean up my schema file so it doesn't have anything secret in there. And then to me, the next step is like you commit that to get because it's sort of like, okay, now everybody knows what for this project. Here's all the environment variables we need. You got to get them somehow. And you can you and they don't even necessarily have to use, and you're not making them use varlock at this point. You're just saying, like, here it is. Now, obviously, if they see that, I think that's like almost like if you will, if there is such a thing as a viral Theo (24:34.532) Mm-hmm. Phil M. (24:34.656) Mm-hmm. Brandon (24:55.338) developer product. Maybe, maybe this is that moment, right? People like, what are they doing? What's this thing? But like, so that that to me is kind of the next step, right? Is you separate that out. Is that am I is that like a too simple a step? Is that how you see people doing it, Phil? Phil M. (24:59.69) Mm-hmm. Phil M. (25:09.45) Yeah. Yeah. So I mean, like you said, then you the the next step is to get everything out of plain text. So there's there's obviously a few different options there, right? You put those some people probably already have those values somewhere else and they've copied and pasted them onto their machine. So you could load them from the source of truth, be that secrets manager, one password, bitwarden, what have you. if you have local files that you need but no one else needs, you can encrypt those securely. using our native encryption. and we have a a few different ways to in to load those values. You can do it one at a time with the sort of little prompt workflow, or you can ingest an entire file and it'll do them, you know, in bulk for you. Theo (25:53.404) Yeah, there's also a native Mac keychain support. So if you want to put them in the keychain, that works too. Brandon (25:58.75) Yeah, so I think I mean this is I think we're just kinda walking through the whole thing. So I think I think most I mean, I'm just gonna use myself. It's like, okay, well first I'm gonna put my secrets in only the file on my machine. And it's like, okay, well, at least the world can see my schema. And then it's like, then it's like, hmm, these are all in plain text. Like, what could I do to make that more more safe? So in my case, and it's everyone listening to this show knows I'm long time user of One Password. And one password is one of many secrets managers out there. They have a nice C L I. So this was kind of the next this is the next revelation was like, wait a minute. I can now integrate this. I'm gonna put I'm gonna create a vault, and I I assume this applies to all the secrets managers, create a vault, especially for all my, you know, development kind of world. And then that's gonna be the thing the source of truth for those things. And then Varlock has, you know, I'm just gonna talk about the one password one because that's the one I know, right? Has a great integration. You just do some syntax like OP colon slash slash, or you just tell it's like it's a one password value. And I don't know, to me, this is where it gets a little magical. Barlock can then go out and grab that from one password. and it will either prompt me when it when it's doing that, it'll prompt me and it'll make me, I guess, do the biometric authentication, which is nice, right? Or I guess I can sit down and actually type in my password. So I mean, is that one is that generally right? And then two, like at this secrets management is like I feel like this is the moment of like Where like you're making the CISO or security people in your organization happy while simultaneously you're making your life easier for yourself. And I always think that's like the perfect kind of product, right? Like I'm gonna make you more productive while simultaneously making you more secure. Cause it's usually the opposite. It's like I'm gonna make you more secure and make you less productive. So whoever wants to take this, like how do you know I I talked about one password, but there's a million others. How how do you see people adopting the secrets management and integrating with varlock from your users today? Phil M. (27:54.026) OnePassword's definitely the most popular. I think just because so like one of one of the challenges, and you've talked with with us on Slack about this, is that secret zero problem, right? In most integrations, you need a way to identify yourself. Usually that's an API key. We with OnePassword, if you've got the desktop app installed, it we can pass through the authentication to that app and you scan your fingerprint, which Brandon (27:56.138) Okay. Phil M. (28:18.505) You know, feels like magic until you have to do it a thousand times. But we we've done some work to make that better. so I think a lot of people do that because A, because OnePassword is such a popular product and it works very well. and that you know, local finger fingerprint scanning workflow just feels good. It feels secure. so th I'd say that's, you know, by far our most popular integration. But I think there's currently sort of like a long tail of growing ones. You know, I I could look at the stats, but th there's a lot there's a lot more that are quite popular now as well. Theo (28:54.135) I do want to call one thing out with the one password integration, is that, know, one password itself, you can, you can have a file that's kind of like this with those OP colon slash slash references and run OP inject. but the thing that we add on top is like, that workflow with one password only works running locally with the OPCLI. We give you a way of expressing those references and then using the OPCLI with your fingerprint locally or in production using a service account token to fetch those same values. We also then provide this whole layer around, you know, the validation on top of it, composing values together, altering, know, this is the dev value, this is a production value, all that kind of stuff. So there's, there's like, you can kind of do the basics with just one password, but we add this whole layer on top that makes the whole developer experience, I think, much, much better. Phil M. (29:44.083) And you can mix and match vaults and environments. Brandon (29:46.688) Well, I think that's the key, right? The thing about it kind of back to what we said at the beginning of this kind of little fake use case. It's like, you know, it's the problem if you're just tied to one password is like you're tying everybody else to one password. I can't put that. I mean, I could put an E and V file with all one password references in there, but then you gotta have the same one password. You gotta have one password, then you gotta have the same kind of vault syntax and you gotta have and nobody wants that, right? So it's like 'cause everyone's got their own, you know, preference like Bitwarden's really popular. Go ahead do. Theo (30:12.123) You On Teams, it's common if it's a work thing, It's like you, you know, you standard issue day one, you get your laptop, you log in one password, you know, here's the vault, you know, you have access to the dev secrets vault, not the production secrets vault. And I think that's part of why it's so appealing is because there is no secret zero, right? You've already installed the secret zero as part of your daily setup. But you're certainly right that in a more distributed thing or, you know, an open source product, just having that schema and then letting you wire up the values yourself. Brandon (30:16.767) Mm-hmm. Brandon (30:26.409) Mm-hmm. Theo (30:43.866) is better. Brandon (30:45.257) Well, I think it's just kind of you know what you you just said, I guess it's just like don't couple yourself to it. It's like sure, every everyone uses one password, great. But if not, then it's like it's you know, it's there and and you've got I still have the the nice schema. And so and then the last thing, and I just think this is like a genius. I just really like this. So I think we should I just want to spend some time on it. It like you said secret zero. So then it's like so for me, it's like, okay, so now you've kinda gone through this thing. It's like I've gone from I have no security and everything's a mess. I have my spec file, so at least I've cleaned it up. I move my secrets into its own file. I move my secrets into one password. And now I am kind of constantly using the biometric authentication. So in one password, like others, you can create a service token, right? And it's like, okay, well, that's secret zero. And you're like, well shit. Well, like how my like I'm back kinda back to like, do I have to leave this in a plain text file? Right. And and I'm like, you know, it's like, you know, maybe I could do that. It would be a little bit more convenient, but it's not really right. So maybe you can explain b bestie, like you Theo (31:29.495) Mm-hmm. Brandon (31:40.969) You have this nice thing where you can basically say, like, put this one secret in the Mac OS vault. and that's sort of how you can protect your secret zero. So maybe explain how that works. Theo (31:47.524) Yeah. Theo (31:52.1) So yeah, I mean, and. In this case, would be, you know, your secret zero for a lot of other of the plugins, you would have a secret zero. You can also just put values in there if you don't have any sort of plugin that you're using. But basically what we do is with the NPM varlock package and with, you know, same with the homebrew version, we distribute some very small native binaries. so on Mac, that native binaries job is to run a daemon in the background. It turns off everyone's a while, but basically a little menu bar app that is listening for requests and it manages unlocked sessions. In one password, natively, they have this notion of each TTY, each terminal, is its own session. We do something similar, but there's a bit more around also looking at the process tree and trying to be a little bit smarter in cases where you're logically in one session, even though there is no controlling terminal. And so basically we decide, are you unlocked already? Are you in the same session? And then we call out to the, on Mac, the secure enclave, which is the hardware. based sort of encryption chip. And so we encrypt the value using that and it's only unlockable with biometrics. On Windows and Linux there's similar things, it's not quite as slick, but there's a similar daemon and similar sort of like use the machine's encryption as much as possible. Phil M. (33:24.105) Yeah, on Windows it's Windows Hello and Linux it's it'll look for a T PM. Brandon (33:28.862) Yeah. So I mean this is like so this is sort of like you're getting to like the nirvana of the situation. Like not only have I cleaned up my whole situation, like everyone knows what I need, but like now I have zero secrets in plain text anywhere. all I have to do, and then maybe you can talk about how you do this is sort of like what I find that's great is though is I if I authenticate once, you you basically are keeping that credential, you know, that one password token. And maybe you can talk about like a new feature. You're it's even to the point now, it's like I guess it's Like I can't even see it inside the I did this the other day. Like in the terminal, I c it won't even show me what that is. But like I know you've cached it in like your own secure world. And so it's it's almost like once I'm set up, it's like in that terminal, I'm good to go for as long as I'm I I'm I keep that session open. Like you have what you var lock, have that thing. You can unlock my keys. I can work. None of these keys are none of none of this is actually available in the terminal, so it's super secure. And at the same time, I don't have to continuously authenticate over and over, even with the biometric anymore. So maybe I just think that's like this is the magic. So I don't know who who wants to talk more about that. Theo (34:35.099) I mean, yeah, there's the sort of which session are you in, and that's based on the terminal, the process tree, application, like hierarchy, things like that. And then there's a timeout. So I think after a certain amount of not being used, it will lock again. You can also lock it explicitly either in the menu or with the CLI command. I mean, it's similar to the experience you get with one password when you're if you're sort of in a one person, one terminal situation, then it works right and it feels great. But the problem with now we're doing all this AI development is that, well, Claude code or whatever is spinning up all these sub-processes. And if you're not identifying it back to the same LLM coding session, then you're going to be scanning your finger over and over and over again. Brandon (35:23.974) Right. So you go from like, you know, being like I I feel like my progression is like, this is great. I can just do this. This is great. All I have to do is scan. This is a million times easier I was before. Then I'm like, you know, I'm kinda tired of this scanning all the time. It's kind of annoying me. So it's like, you know, and I think you're right. You can kinda do it with one password, but my experience like one it's just much more aggressive at like closing out the sessions and like yeah, it's just constantly whereas like I don't know, Varley, you know, you guys have kind of figured it out a little bit more. Like you don't you're not bothering me. You're out of my way a little bit, which I like. Theo (35:34.885) Thank Phil M. (35:35.038) Yeah. Theo (35:48.272) The other thing, yeah. The other thing that this sort of native encryption primitive buys us is the ability to have caching, right? So we now have a secure place to cache stuff. So, you instead of having to talk to one password and go talk to their servers on every refresh, we can cache it again, encrypted with the same biometric, you know, secure enclave security. So it's, you know, that sort of cache or encryption primitive really opens up a lot of interesting doors. It also opens up interesting doors for us in the future to do things where maybe we want to have our own secrets vault, we want you to log in, right? With all these tools, it's like, okay, log in and it shoves some API key in your home folder in plain text, right? So it's just, it's not safe, right? You need a way of storing it securely. And the only way to really do that is with a native binary and hardware encryption. Brandon (36:45.288) No, I think it's fantastic. And we don't we won't go through the entire spec. I mean, people need to go check it out. But like it has tons of, you know, I don't know, decorators for lack of better word, tons of things that you can start to do to really annotate everything in your file so that everyone knows what's going on. And more importantly, so that you know what's going on. Yeah, that's maybe the the simplest side of it. Theo (37:02.555) One other feature I'll just call out, because I think it's really cool, is imports. So if you're in a mono repo, mean, anyone that's done this mono repo stuff before, like each part of the repo has its own environment variable set up, its own validation, and there's no real good way to share things. with Varlok, not only do you have one toolkit to use everywhere, but you can import values and schema from a shared route. You could import from something that's sitting in your home folder. just that import syntax is extremely useful. Brandon (37:36.425) Yeah, fantastic. And then obviously the one password is a common way to import import that at the beginning, right? And so you know you're you're set up. So so okay, so everyone, no excuses now. Everybody has a way to to store everything securely. And I I mean, like I said before, like it's it's adding productivity while also making your security either you yourself happy because things aren't plain text, or your CISO or your security teams are much happier. So this is like, like I said, so rare that you find both. Now Theo (38:03.163) Thank you. Brandon (38:04.414) AI, of course, you know, it's a podcast. We have to talk about AI. But this is kind of how I got into it was because I was building stuff with AI, it started to introduce lots of new services for me, and which is great, you know. But it would be like go get sign up for this and get the API key for this. And then I just I was this is where I was starting to get like this is getting out of hand. Like I have a lot of API keys, and suddenly I feel like I have a lot more if you will, vectors of attacks. So maybe talk about how you see varlock. Theo (38:14.491) I Brandon (38:31.708) both now and in the future, kind of, if you will, integrating with all the various AI agents, including Claude Code, which is probably, you know, the one everyone's using that's listening to this. Phil M. (38:41.098) Yeah. I mean I I I think there's two sides, right? There is the the schema is a much easier thing for an LLM to reason about. So like it's it's a type structured file. So it is much easier for an LLM to write that, which is a win on the sort of, you know, let's call it ingest side. And then the the security guardrails we've put in place, like the redaction and the leak prevention and all that, keep the keys out of the context window of those. LLMs as well. So, you know, kind of best of both worlds there. Theodore, did you want to talk a bit about the sort of proxy and like the next steps? Theo (39:19.259) Yeah, yeah. So like what we do today, we get the keys out of plain text so the LLM won't read it either on purpose or accidentally, right? That's a huge win. We also have this log redaction stuff, whether you're using varloc run or some of our JavaScript-based stuff. So if it accidentally gets logged, it will get redacted. So that keeps it out of the context window as well. But it's not foolproof, right? The agent can still go and run varloc load. A normal varloc load gives sort of a human readable thing with redacted outputs, but it could do varloc load, JSON, and it'll get just the raw values. So the sort of place that the industry has settled on, and I think it makes sense, is using a credential broker. So basically inject fake placeholder keys for things that are sensitive and inject the real keys in an HTTP proxy sort of on its way out over the wire. And so we knew that we wanted to build this. And we were waiting for some of these other primitives to kind of be there. But that's what we're going to release next is this proxy layer. So not only are you removing it from logs and plain text, but we remove it from the process altogether. And so you could just run that on the same machine, and it's going to be still better. It's going to be less likely to leak. But the next step is to run, say you're running something in a sandbox with the proxy running outside of it, then it's really full proof. And we have a natural place to write all these proxy rules, right? So there's a new decorator at proxy. You can attach it to an individual item and say, here's the domain. So basically, as things are going through the proxy, all the requests are going through the proxy. If it matches that domain, it will look for that value and the placeholder value it injected, swap in the real one. And then as the request comes back in, it will also scrub any secrets. that might be in there. And that in itself is super, super exciting. there's a bunch of services that are kind of playing around with this, but they're all coupled to one provider, right? Or they're kind of clunky. They require you to go and deploy some infrastructure. I think our tool is just going to feel easier to use. And we can wire it up to any of the existing plugins we already have, which is pretty cool. Brandon (41:46.119) So maybe just walk me through kind of the use case. So what am I doing? Am I like doing something in Claude and I should configure the proxy or like kind of like how do I get to set up? How do I get the proxy in inside my workflow? Theo (41:58.778) I mean, it could be something you could be running Claude, you could be running a container with your actual application code in it. With all these supply chain attacks, you don't really know when the thing's gonna get exfiltrated. it's just better to... remove those secrets altogether. But basically it'll feel like using varloc today except for we have some extra proxy decorators in there that'll say, hey, this is the URL that this thing needs to go to. And then instead of doing varloc run, you do varloc proxy run. Or you could do varloc proxy start. It'll boot up the proxy and then boot up your container sandbox or whatever, pointing the traffic through that proxy. So a little more work, but I think we're gonna have some some nice ways to get started and make it easy. Probably you know if you're booting a Claude session it'll probably be as simple as you know varloc proxy run dash dash Claude and it will just go through the proxy. Brandon (42:56.519) Okay. And so that's so the I guess the the nice thing there then is it's never so I guess I just have the dummy variables or dummy values on my local machine. Go ahead. Uhhuh. Theo (43:03.504) See you get up. placeholder in the process has a placeholder. So if it logs it, if it tries to read it, anything, it just gets a fake value. But, and only when the request is going out to the real place it needs to go to does the real value get injected. What's really cool then is like, so this, that's pretty much already built. It's not released yet, but the next step of that is how do we add approvals to that workflow as well? So, you know, maybe one key is like, it's not that sensitive, just proxy it every time. No problem. Brandon (43:09.552) Okay. Brandon (43:16.058) Okay. Theo (43:34.286) But like let's say you have a stripe API key you have an agent doing some stuff Reads are fine. Let it let it go nuts But if the if the agents about to do a refund then you want a human to approve it, right? So these proxy rules you can say, okay, you know, here's the domain the domain is API dot stripe comm the path is you know, if it's opposed to slash refunds then I want to approve and We are building some really neat stuff around approvals like and not necessarily on the same device right so it's one thing if You're running on your machine, and you know we can just use the Mac app or the binaries pop up a little thing let you click approve But what if you're away from your computer? What if you're you know out on a walk, or what if that agent is actually running in the cloud? so we are going to have sort of a cloud service that is relaying these approvals in a blind way. So like you're using pass keys, you're using cryptography, know, sign messages, all that. So we are relaying all the approvals back to the, to the proxy that's running. But we don't actually see it. And you know, yeah, you can imagine you're running a thing, you're out for a walk. The agent's about to do something dangerous. You get a push notification and you just click yes, you know, approve, approve just this once, approve for 10 minutes, approve for this session. Yeah. Phil M. (45:04.46) Yeah, like we've literally have users too where it's you know, they they use one password locally and they're you know, like I Cloud Cloud is stalling while I'm having my lunch. I need you to I need you to delegate to this to my phone. Brandon (45:16.263) Hundred percent. This is back I mean, I think everybody this is back to like, this is so convenient. I just have to press but the biometric, but then I want to go do something else and I want the script to run for a long time. So so the fact that it can like just reach out and be like, Hey, I'm doing this, is it okay? Like that's fantastic. Well, the proxy, I mean it sounds super exciting. So hopefully that'll be out pretty soon. So I won't commit I won't won't commit you to a date here. but like maybe we should talk a little bit about you know, Varlock 'cause I I've used it, you know, open source, free, stuff like that. But like What what's I mean, this is almost like too good to be true here. Like so what's the business model? How how how are you guys gonna keep making money so that you can keep putting out new releases? Like, how are you thinking about that going forward? Phil M. (45:54.401) Yeah, so I mean the stuff that Theo's describing there where there's an infrastructure component, like these sort of remote approvals, I think that'll probably be like one of our first forays into monetization. but from day one, we've always been clear about where the boundaries are and where the light what the licenses are. We don't wanna we don't wanna have to do like we don't wanna do a license rug pull or relicense anything. So like what is free today will always be free. and just drawing those clear boundaries around what we can offer in addition to that. So team vaults is obviously a no-brainer. we can have our own varloc plugin for that. this remote approval stuff, I believe, is kind of the next step. There's some like fancy sort of package publishing stuff Theo showed me this morning that I think is probably an opportunity. So just, you know, more sort of scaled team solutions on top of the open source stuff. Anything to add there? Theo (46:52.051) yeah, I mean, I think some interesting things happen once you have this notion of identity baked in, right? In order to do these approvals, you have the, know, you have these native binaries, you have Paschies, you have sort of this cryptographic identity there. So you can do lots of interesting stuff like the, all the team vaults kind of thing that we've been wanting to do eventually that, requires a bit of that as well. so, you know, I think the proxy thing is the most exciting right now, cause it's just really needed in the industry. Like everyone's trying to figure out how. how the hell to use agents safely. So I think that's probably the first thing we'll try to monetize. But again, we'll probably still make it free if you're just running locally, doing approvals on your own machine. That's all gonna be free. Brandon (47:34.66) All right, I love that. Mm-hmm. Phil M. (47:34.784) And like another interesting thing we've prototyped that's kind of been simmering on the back burner for a few months is credential rotation and on-demand credentials. So the ability to not just fetch those API keys but rotate them and create them on demand as well. Brandon (47:52.369) Yeah, I I think I mean that sounds fantastic. And I guess it's you know, as I said on I've said on the show for years, long time one password user for like, you know, over a decade. And but I s it's there's something and it works well. So I have no complaints. But it's like as I think I said to one of you, maybe on Discord, it's like it's kind of weird sometimes. Like I've got this vault with all this like development stuff and then like the family Netflix passwords in this other vault. And it's like I I don't know. It's sometimes I'm just like, maybe I should just have a like I've looked at try to look at other solutions too. It's sort of like maybe there should just be like back to like the coupling, it's just like maybe this should be like in its own little world, you know, and and it should just be like, I don't know, more development centric, if you will. and so I d and I guess it's just interesting watching all of these secret managers because they there's so many different takes on it, right? You have like very enterprise things that are heavyweight that pe like people kind of want like don't want to get involved in. And then you have one password and maybe Bitwarden that are consumer and they're really convenient, but there's also like a weird kind of Theo (48:25.691) I Brandon (48:50.992) division of responsibility there. So I don't I don't know. What do you guys any thoughts on that? Phil M. (48:55.36) Yeah, I mean in Bitwarden and OnePassword are interesting because those are there's kind of a bifurcation even in both of those products, right? Like Bitwarden has a password manager and a secrets manager, and they don't talk to each other. And one password has a secrets manager, which is their main product, and then they have environments, which is their new sort of developer centric I I don't know what you call it, key value store with that segmented by environment, right? so they're clearly like Brandon (49:05.136) Mm-hmm. Brandon (49:19.738) Right. Phil M. (49:24.3) pushing into that segment as well into the sort of more dev tools world, but it's still pretty incomplete, I think. Theo (49:31.483) Yeah. And I will say like on our side, we from the beginning have wanted to build something that makes as much sense to use on a solo throwaway script as it does on a large team. a lot of the sort of best in class tools out there, they're not only just too expensive to use if you're, you know, just using it solo or on a small project, but they're also just too heavy to set up. it just, no one's going to go set up, you know, hash corp vault for just their own you know AI throwaway stuff right it's just not going to happen so we wanted something that makes sense to use yourself and then grow into a big team. Brandon (50:10.458) Yeah, no, I think that's that's the real key there. And I'll I'll just pick for a a lot of privileged identity managers or vaults that are like, you know, they're they're so heavyweight that, you know, you should go up to the developer, the development team, you're like, I want you to use this, and they're like, Hmm, I don't know. Maybe like may may it's like they're like, mm, maybe not. But anyway, that's that's neither here nor there. Okay, listen, I'm gonna Theo (50:23.867) Yeah. Phil M. (50:24.405) Well, we we have plugins for all of them now too. Theo (50:29.498) Yeah. Brandon (50:33.744) Give some links here, but then I want you guys to tell in a second w where they can find you. But like things I recommend, this is obviously you gotta check out the website. That's varlock.dev. And then you guys obviously have links to the GitHub. You should read the the whole spec. or if you're like me, and we didn't really get into it, but you do have a nice MCP server that's like that's the varlock docs, right? So I've got that running on my cloud code. So if you're like me, you just cheat. You just set that up and just ask Claude all your questions and it just figures it out. So that's really good. and then fantastic Discord. I know both of you are in it. You both are very active. It's has a really nice active community, friendly community, can ask lots of dumb questions. I've done it. There's other people there and asking good questions, giving good feedback. So if you're interested in this, I I think you should do all of that. Now starting with Phil, but do you have any other sites and more importantly, if they want to talk contact you personally for some reason, what's the best way to get in touch with yourself? Phil M. (51:26.547) Yeah, I mean so other sites, domino.io is curve's kind of our corporate site, dmno.io. but yeah, you can you can always hit us up on Discord. You can email you can email us at hello at well hello at varlock.dev or hello at dmno.dev anytime or either of our first names at either of those websites. what else? LinkedIn, blue sky. Brandon (51:54.204) Theo, you got any secret sites there? You got you got a good s you got your you got a site that you should mention? Mm-hmm. Phil M. (51:56.275) yeah, he's got a great secret side actually. Theo (51:57.014) Yeah, I've got a couple things. Well, one thing I'll say is if you all do want to set it up, we have some sweet stickers. And if you set your stuff up and let us know, we can send you some sweet swag. Phil M. (52:05.356) yeah. And so so I Brandon (52:05.488) there you go. Nice. Theo (52:11.287) Yeah, and another we've got some other open source kind of tools coming out this this little guys from a thing called bumpy, which is a change sets alternative. So a tool to help you do version bumps on on public software that you're releasing and generate change logs and all that. But yeah, to contact me, I'm on I'm on Twitter at Theo zero. So T H E O Z E R O blue sky as well. I don't remember what my blue sky name is. And yeah, another fun site to check out is howtostore.food, which is a little fun side project I built, which gives you instructions about the best way to store, you know, all different kinds of produce. And it's as I think one of the best use of native web view transitions. It's very slick. It's very cool. Yeah. Howtostore.food. Check it out. Phil M. (53:05.452) It's also very useful. Brandon (53:05.701) Well, not only is that a very slick site, it's also like a good way to just have discussions with people because you can be like, so do you do I mean either one is like, should this be refrigerated or not? That's a that's a common one. You can get you can have like lot you know what? People have lots of opinions. Even in my house, my house of just three people. We we somehow the three of us have the different opinions about what should be refrigerated. But now you can go to Theo's website and can you can learn for sure what what what is the right way. Now, I promised at the very beginning here, Phil, that you would explain to people how they could get some new music. Theo (53:14.939) Yeah. Yeah. Yeah. Theo (53:28.579) Yep. Brandon (53:35.661) So this is your chance. Where do they go? How do they hear you perform some some music? Phil M. (53:41.551) yeah, I actually just put up a site this morning for for the my little label. So unsafeharbor.com with a U, the Canadian way. or nautical artifacts on Bandcamp. I've got a a remix album coming out tomorrow that a bunch of folks remixed my last album. eight tracks, really interesting stuff, kind of like weirdo ambient stuff, great for getting work done. yeah, those those are the the main ones. Brandon (54:08.123) All right, listen, by the time this is out, that that side will be up. Who knows, maybe it would be like the number one things on Spotify. Who knows? You know what we don't know. Maybe he will have blown up by then. but I'm sure it's up by now. And for everyone else, listen, you know, Theo showed some stickers, but of course, if you would like a software defined talk sticker, all you have to do is send your postal address to stickers at software define talk dot com. I'm happy to send you a sticker anywhere in the world. And of course, Phil and Theo, thanks so much for being on the show today. Theo (54:35.013) Thanks for having us. Really appreciate it. Phil M. (54:35.34) Thank you. Brandon (54:37.263) And with that, we will talk to you next time.