docs(specs): v0.9.0 design — extension org GUI + pluggable second factor
Product audit (product-expert skill) recommended two priority items; this lands the audit record plus the two approved design specs that will drive the v0.9.0 multi-agent train. - reviews/2026-06-20-product-audit.md — the roadmap audit (reality check, recommendations, PM brief) that drove the two items. - specs/2026-06-20-extension-org-gui-design.md — bring the org vault to the extension at read+write parity. Org write is gated on a Day-1 signing spike (the org hook rejects unsigned commits; the extension pushes unsigned today; sign_for_git exists in WASM but is unused). Spike-fail degrades to read-only + write follow-up. - specs/2026-06-20-pluggable-second-factor-design.md — key file as an alternative second factor (same 32-byte secret, same KDF; crypto-light), chosen at setup via a non-secret params hint, plus the positioning pivot. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01VQbgrP6KQW5pibjbPEoTSs
This commit is contained in:
adlee-was-taken
128
docs/superpowers/reviews/2026-06-20-product-audit.md
Normal file
128
docs/superpowers/reviews/2026-06-20-product-audit.md
Normal file
@@ -0,0 +1,128 @@
|
||||
# Product Audit — Relicario — 2026-06-20 · fast
|
||||
|
||||
> Generated by the `product-expert` skill (roadmap audit, fast mode). Competitive
|
||||
> read grounded in `references/competitive-landscape.md` (last-reviewed 2026-06-20).
|
||||
> Advisory only — record of what was considered, not a commitment.
|
||||
|
||||
## Reality check
|
||||
|
||||
v0.8.1 tagged today: `relicario org add`/`edit` now covers **all 7 item types**
|
||||
with collection-scoped, grant-enforced attachments — sitting on the
|
||||
cryptographically serious v0.8.0 org backend (ECIES per-member key wrap,
|
||||
signature-verifying pre-receive hook). The personal vault is genuinely complete
|
||||
with full CLI↔extension parity. But the **defining reality is an asymmetry**:
|
||||
Relicario has now built an entire enterprise org vault that *cannot be touched
|
||||
from a browser* — the extension has zero org concept. The biggest recent
|
||||
investment has no GUI surface. No lift is currently active.
|
||||
|
||||
**Drift found** (low severity, but catching it is this skill's job):
|
||||
- `STATUS.md:7` — "Last release tagged: **v0.6.0**". Stale: v0.8.0 and v0.8.1 are
|
||||
both tagged (`git tag`; release commit `2fa4d68`).
|
||||
- `STATUS.md:8` + `ROADMAP.md:10` — "tag pending PM". Stale: the v0.8.1 tag is cut.
|
||||
- `docs/user_docs/` (12-page end-user guide) merged as a fast-follow *after* the
|
||||
tag — fine, just not inside the v0.8.1 tag.
|
||||
|
||||
## Assessment
|
||||
|
||||
**Strengths:** the wedge sits in a near-empty competitive cell — two factors
|
||||
*into the KDF* + self-host + **zero server metadata** + git audit log (1Password
|
||||
has the 2-factor KDF but is cloud-only; vaultwarden self-hosts but is
|
||||
single-factor KDF). Personal vault is complete. Org backend is real cryptographic
|
||||
work, now feature-broad.
|
||||
|
||||
**Gaps:** (1) the org vault is **invisible in the GUI** — extension has no org
|
||||
read or write; the whole enterprise feature is stranded behind the CLI (rated
|
||||
*critical*; traces to `docs/superpowers/specs/2026-06-20-extension-cli-parity-gap-analysis.md`).
|
||||
(2) Personal-side parity holes that make a "parity-is-a-design-value" product feel
|
||||
unfinished — favorites (no UI on either surface), group/tag editing only on some
|
||||
forms, and autofill matching by **exact hostname** (so `www.github.com` misses a
|
||||
login saved as `github.com`). (3) The pitch leads with steganography — the most
|
||||
friction-heavy, least load-bearing part of the wedge.
|
||||
|
||||
**Risks:** mobile absence caps total addressable market — but for Relicario's
|
||||
*self-selected* desktop/CLI audience that's a ceiling, not a bleeding wound, and
|
||||
treating it as an emergency would import mass-market logic that doesn't fit this
|
||||
product. The sharper risk is that a GUI-less org vault only ever reaches
|
||||
CLI-native shops — a fraction of the market the org spec implies — stranding the
|
||||
investment.
|
||||
|
||||
## Recommendations (leverage-ordered)
|
||||
|
||||
1. **REORDER — Put a GUI on the org vault you already built: extension org *read*
|
||||
next, then *write*.** *Why:* the v0.8.0+v0.8.1 backend is stranded without it;
|
||||
"unlock value already built" is the highest-ROI class of move; it's already
|
||||
roadmap item #1, and CLI reached all-7-type org write in v0.8.1 so the write
|
||||
path is unblocked. Outranks the command palette and personal-parity polish.
|
||||
*Impact/Effort:* H / M. *Risk:* browser GitHost has no commit-signing path, so
|
||||
write is harder than read — ship read first as its own slice. *Refinement:*
|
||||
scope to org **item usage** (read/add/edit a shared credential), NOT admin ops
|
||||
(member/key management staying CLI-only is a legitimate design choice; item
|
||||
usage being CLI-only is not).
|
||||
|
||||
2. **PIVOT (positioning) — Re-lead with the thesis, demote stego to an *option*.**
|
||||
*Why:* the most important thing the roadmap doesn't mention. A plain key file
|
||||
delivers the identical 256-bit second factor; stego's only marginal benefit is
|
||||
the niche "dead-drop on social media" story, while it carries the most unlock
|
||||
friction and a SPOF the project already had to paper over with the recovery-QR.
|
||||
The README leads with the gimmick and buries the moat. *Impact/Effort:* H / L
|
||||
(messaging; keep the feature). *Risk:* stego is the product's identity — keep
|
||||
it first-class-*optional*, don't delete it. *Adjacent thesis-level call:*
|
||||
offering a plain key file as an alternative second factor would lower
|
||||
onboarding friction for users who find "hide a secret in a JPEG" too weird — a
|
||||
real ADD candidate, not just messaging.
|
||||
|
||||
3. **ADD (cheap, high-ROI) — Autofill matches by registrable domain (eTLD+1), not
|
||||
exact hostname.** *Why:* exact-equality silently fails on the most common case
|
||||
(`www.` vs apex), making the extension feel broken; small, contained fix.
|
||||
*Impact/Effort:* M / L. *Risk:* use a public-suffix list to avoid over-matching.
|
||||
|
||||
4. **ADD — Close the personal parity holes: favorites UI + group/tag editing on
|
||||
every item-type form.** *Why:* CLI↔extension parity is a stated design value;
|
||||
family/individual users organize by exactly these. *Impact/Effort:* M / M.
|
||||
|
||||
5. **REORDER (defer) — Keep org phase-2 (SSO/LDAP, read audit, per-collection
|
||||
subkeys, HTTP plane) parked behind extension org parity.** *Why:* high-effort,
|
||||
no demand, pointless while the org feature has no GUI. *Impact/Effort:* M / H.
|
||||
|
||||
6. **CUT (future investment, not deletion) — Stop *deepening* the over-served
|
||||
areas:** no more stego-robustness work, no recovery-QR elaboration, leave
|
||||
field-history's knobs alone. Don't remove working features — just stop
|
||||
investing in them.
|
||||
|
||||
7. **Housekeeping — sync `STATUS.md` and `ROADMAP.md:10`** to reflect v0.8.1 as
|
||||
tagged. Five minutes; it's the exact drift this audit exists to catch.
|
||||
|
||||
**On mobile & v1.0:** mobile is the single biggest TAM ceiling, but a high-effort,
|
||||
post-v1.0 bet that partly contradicts the desktop/CLI shape of the product — a
|
||||
separate-product-scale investment, not the next move. Frame **v1.0 = the thesis,
|
||||
fully usable on the surfaces you already support**: extension org parity +
|
||||
personal parity holes closed + positioning sharpened. Mobile is a v1.x conversation.
|
||||
|
||||
## PM brief
|
||||
|
||||
```markdown
|
||||
## PRODUCT DIRECTIVE TO PM
|
||||
Time: 2026-06-20 (local)
|
||||
Source: /product-expert roadmap audit (fast)
|
||||
|
||||
Reality note: v0.8.1 is TAGGED (org item-type parity). The org vault backend is
|
||||
fully shipped but has ZERO extension GUI — the whole enterprise feature is
|
||||
CLI-only. STATUS.md still says "Last release tagged: v0.6.0" and "tag pending PM";
|
||||
sync those (5-min housekeeping) before anything else.
|
||||
|
||||
Roadmap changes (priority order):
|
||||
1. REORDER — extension org READ (org switch + collection-filtered browse) is the
|
||||
next slice; org WRITE follows as its own slice. Scope to item usage, not admin
|
||||
ops. This outranks the command palette and personal-parity polish.
|
||||
2. PIVOT (positioning) — re-lead messaging with "two secrets into the KDF +
|
||||
self-host + zero server metadata + git audit"; present the stego image as an
|
||||
optional second-factor flavor, not the headline. Keep the feature.
|
||||
3. ADD — autofill: match by registrable domain (eTLD+1), not exact hostname.
|
||||
4. ADD — favorites UI + group/tag editing across all item-type forms (parity).
|
||||
|
||||
Recommended next slice: extension org READ (H impact / M effort — puts a usable
|
||||
face on the backend you already paid for).
|
||||
|
||||
Out of scope / do NOT pick up: org phase-2 (SSO/LDAP, read audit, per-collection
|
||||
subkeys) until org has a GUI; further stego/recovery-QR hardening; mobile (post-v1.0).
|
||||
```
|
||||
Reference in New Issue
Block a user