feat(skills): add product-expert roadmap-audit + spec-review strategist
A standalone, self-triggering skill that acts as Relicario's product strategist: audits the roadmap and reviews freshly-brainstormed release specs for product/market fit, emitting PM-ready relay directive blocks. Advisory only — the user stays the decision-maker. - Two modes: roadmap audit (default) and spec review (verdict: PROCEED / RESCOPE / CUT / PIVOT). - Four-lens engine run as parallel subagents: ground-truth (verify claims vs code/git, distinguishing an in-flight lift from real drift), jobs-to-be-done, market/competitive, and strategy synthesis. - Fast by default; `deep` adds live competitive web research. - Durable by design: lenses read living docs (README/ROADMAP/STATUS/ CHANGELOG/specs) at runtime, so new surfaces/segments/features are picked up automatically. The one static asset, competitive-landscape.md, carries a last-reviewed date + freshness protocol. - Wires a post-brainstorm product gate into CLAUDE.md's Planning section. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01VQbgrP6KQW5pibjbPEoTSs
This commit is contained in:
adlee-was-taken
@@ -0,0 +1,114 @@
|
||||
# Competitive landscape — password managers
|
||||
|
||||
> **last-reviewed: 2026-06-20.** This file is the only static, rot-prone asset in
|
||||
> the skill (the four lenses otherwise read living docs at runtime). The market
|
||||
> moves: competitors ship features, get breached, change pricing, appear, and
|
||||
> die. Treat every claim below as "true as of last-reviewed, verify if it
|
||||
> matters."
|
||||
|
||||
**Freshness protocol:**
|
||||
- If `last-reviewed` is **more than ~6 months** before today, treat this file as
|
||||
suspect: prefer running the market lens in **deep** mode (live web research)
|
||||
over trusting the snapshot, and at the end of the run *offer to refresh this
|
||||
file* (re-research the competitors, rewrite the entries, bump `last-reviewed`).
|
||||
- Any time a **deep**-mode run surfaces something this file gets wrong or misses
|
||||
(a new competitor, a shipped feature, a breach), offer to fold it back in and
|
||||
bump the date. The cheat-sheet should improve every time it's proven stale.
|
||||
|
||||
A grounding cheat-sheet for the market lens in **fast** mode so it reasons from a
|
||||
real map, not vibes.
|
||||
|
||||
The goal isn't to rank these for everyone — it's to locate Relicario's wedge
|
||||
honestly: where the two-factor / self-host / git-backed / server-sees-ciphertext
|
||||
thesis genuinely wins for the target user, and where Relicario is simply behind
|
||||
on table stakes.
|
||||
|
||||
---
|
||||
|
||||
## The field
|
||||
|
||||
### Bitwarden
|
||||
- Open-source, freemium, cloud-hosted by default; self-host possible (official
|
||||
server is heavy; **vaultwarden** is the popular lightweight Rust reimpl).
|
||||
- Single-factor KDF: master password (optionally with 2FA gating *login*, not the
|
||||
KDF). Server breach entropy rests on the master password alone.
|
||||
- Strong on: ubiquity, mature mobile + browser autofill, painless import/export,
|
||||
organizations & sharing, low/zero price.
|
||||
- The default thing a privacy-conscious technical user reaches for. **This is
|
||||
Relicario's primary reference competitor** — most "why not just use X" pressure
|
||||
comes from here (specifically self-hosted vaultwarden).
|
||||
|
||||
### vaultwarden
|
||||
- Community Rust server compatible with Bitwarden clients; trivial to self-host
|
||||
(single container). Inherits Bitwarden's polished clients for free.
|
||||
- This is the sharpest comparison for Relicario's self-host story: a user who
|
||||
wants self-hosted secrets already has a turnkey, full-featured option with
|
||||
mobile apps and autofill. Relicario must justify what it adds *over* this.
|
||||
|
||||
### KeePassXC (+ KeePass ecosystem)
|
||||
- Local-first, file-based (`.kdbx`), no server at all; sync is BYO (Dropbox,
|
||||
Syncthing, git, etc.). Open-source, free.
|
||||
- Single-factor by default but supports key files / hardware keys as a second
|
||||
factor — conceptually the closest mainstream analog to Relicario's "something
|
||||
you have" image secret (a key file is the unglamorous version of the stego
|
||||
image).
|
||||
- Strong on: zero-trust-server (there is no server), longevity, plugin ecosystem.
|
||||
- Weak on: clunky cross-device sync, dated UX, mobile is third-party.
|
||||
- The other user Relicario competes for: the "I don't trust any cloud" crowd.
|
||||
|
||||
### 1Password
|
||||
- Commercial, polished, cloud-only (no self-host). **Two-factor KDF**: master
|
||||
password + a 128-bit Secret Key — the mainstream product whose security model
|
||||
is closest in spirit to Relicario's (two factors into the key derivation).
|
||||
- Strong on: best-in-class UX, mobile, autofill, family/team sharing, support.
|
||||
- Relevant because it proves the two-factor-KDF idea is marketable — but it does
|
||||
it with a boring random Secret Key, not steganography, and gives up self-host.
|
||||
|
||||
### Proton Pass
|
||||
- Newer, from Proton (Mail/VPN); privacy-positioned, cloud, freemium, open-source
|
||||
clients. Single-factor KDF; leans on brand trust and the Proton bundle.
|
||||
- Relevant as the "privacy brand" competitor — it wins on trust + ecosystem, not
|
||||
on a novel crypto model.
|
||||
|
||||
### LastPass (cautionary tale, not a competitor to chase)
|
||||
- Repeated breaches (notably 2022) where exfiltrated vaults were only as strong
|
||||
as users' master passwords — the canonical argument *for* a second KDF factor.
|
||||
- Useful in positioning: Relicario's README already uses LastPass as the "~40–60
|
||||
bits, single factor" baseline. The market lesson is real and on Relicario's
|
||||
side, but invoking it is marketing, not differentiation.
|
||||
|
||||
---
|
||||
|
||||
## Where Relicario can win (the honest version)
|
||||
|
||||
- **Server-sees-only-ciphertext + no metadata** against a self-host backend that
|
||||
still stores structured data. This is a genuine, explainable edge over
|
||||
vaultwarden for the threat-model-literate user.
|
||||
- **Two factors into the KDF** (not just 2FA on login) — only 1Password really
|
||||
matches this, and it isn't self-hostable. That intersection (two-factor KDF +
|
||||
self-host) is close to empty. That's the wedge.
|
||||
- **Git as audit log** — "when was this rotated?" answered by `git log` and field
|
||||
history. Niche, but unique and real for the audit-conscious user.
|
||||
|
||||
## Where Relicario is behind (table stakes to be honest about)
|
||||
|
||||
- **Mobile.** Bitwarden/1Password/Proton all have first-class mobile apps with
|
||||
autofill. Relicario is CLI + browser extension; the Rust core compiles to ARM
|
||||
but there's no shipped mobile client. For most users this alone is
|
||||
disqualifying — weigh it heavily.
|
||||
- **Autofill quality & breadth.** Browser-extension autofill maturity is a moat
|
||||
the incumbents have spent years on.
|
||||
- **Frictionless import** from the incumbents (Bitwarden, 1Password) — LastPass
|
||||
CSV exists; the others are on the roadmap. Import friction is a real adoption
|
||||
tax.
|
||||
- **Sharing / multi-user polish.** The org-vault track is new; incumbents have
|
||||
mature org/family sharing.
|
||||
|
||||
## The uncomfortable question to keep asking
|
||||
|
||||
For a user who wants self-hosted secrets, **vaultwarden already exists and is
|
||||
turnkey with great clients.** Every Relicario feature should be weighed against:
|
||||
"does this widen the gap on the thesis (two-factor KDF, no-metadata, git audit),
|
||||
or is it just trying to catch up to vaultwarden on table stakes I'll never win?"
|
||||
The strategy lens should treat *catching up to vaultwarden's client polish* and
|
||||
*deepening the unique thesis* as different bets with very different ROI.
|
||||
Reference in New Issue
Block a user