alee/relicario
1
0
Fork 0
Code Issues Pull Requests 8 Actions Packages Projects Releases Wiki Activity
Files
c3044ed5afc7640305da168f872828bc18e31107
relicario/.claude/skills/product-expert/references/competitive-landscape.md
adlee-was-taken c3044ed5af feat(skills): add product-expert roadmap-audit + spec-review strategist 
A standalone, self-triggering skill that acts as Relicario's product
strategist: audits the roadmap and reviews freshly-brainstormed release
specs for product/market fit, emitting PM-ready relay directive blocks.
Advisory only — the user stays the decision-maker.

- Two modes: roadmap audit (default) and spec review (verdict:
  PROCEED / RESCOPE / CUT / PIVOT).
- Four-lens engine run as parallel subagents: ground-truth (verify
  claims vs code/git, distinguishing an in-flight lift from real drift),
  jobs-to-be-done, market/competitive, and strategy synthesis.
- Fast by default; `deep` adds live competitive web research.
- Durable by design: lenses read living docs (README/ROADMAP/STATUS/
  CHANGELOG/specs) at runtime, so new surfaces/segments/features are
  picked up automatically. The one static asset, competitive-landscape.md,
  carries a last-reviewed date + freshness protocol.
- Wires a post-brainstorm product gate into CLAUDE.md's Planning section.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VQbgrP6KQW5pibjbPEoTSs
2026-06-20 22:30:48 -04:00

6.0 KiB
Raw Blame History

Competitive landscape — password managers

last-reviewed: 2026-06-20. This file is the only static, rot-prone asset in the skill (the four lenses otherwise read living docs at runtime). The market moves: competitors ship features, get breached, change pricing, appear, and die. Treat every claim below as "true as of last-reviewed, verify if it matters."

Freshness protocol:

  • If last-reviewed is more than ~6 months before today, treat this file as suspect: prefer running the market lens in deep mode (live web research) over trusting the snapshot, and at the end of the run offer to refresh this file (re-research the competitors, rewrite the entries, bump last-reviewed).
  • Any time a deep-mode run surfaces something this file gets wrong or misses (a new competitor, a shipped feature, a breach), offer to fold it back in and bump the date. The cheat-sheet should improve every time it's proven stale.

A grounding cheat-sheet for the market lens in fast mode so it reasons from a real map, not vibes.

The goal isn't to rank these for everyone — it's to locate Relicario's wedge honestly: where the two-factor / self-host / git-backed / server-sees-ciphertext thesis genuinely wins for the target user, and where Relicario is simply behind on table stakes.

The field

Bitwarden

  • Open-source, freemium, cloud-hosted by default; self-host possible (official server is heavy; vaultwarden is the popular lightweight Rust reimpl).
  • Single-factor KDF: master password (optionally with 2FA gating login, not the KDF). Server breach entropy rests on the master password alone.
  • Strong on: ubiquity, mature mobile + browser autofill, painless import/export, organizations & sharing, low/zero price.
  • The default thing a privacy-conscious technical user reaches for. This is Relicario's primary reference competitor — most "why not just use X" pressure comes from here (specifically self-hosted vaultwarden).

vaultwarden

  • Community Rust server compatible with Bitwarden clients; trivial to self-host (single container). Inherits Bitwarden's polished clients for free.
  • This is the sharpest comparison for Relicario's self-host story: a user who wants self-hosted secrets already has a turnkey, full-featured option with mobile apps and autofill. Relicario must justify what it adds over this.

KeePassXC (+ KeePass ecosystem)

  • Local-first, file-based (.kdbx), no server at all; sync is BYO (Dropbox, Syncthing, git, etc.). Open-source, free.
  • Single-factor by default but supports key files / hardware keys as a second factor — conceptually the closest mainstream analog to Relicario's "something you have" image secret (a key file is the unglamorous version of the stego image).
  • Strong on: zero-trust-server (there is no server), longevity, plugin ecosystem.
  • Weak on: clunky cross-device sync, dated UX, mobile is third-party.
  • The other user Relicario competes for: the "I don't trust any cloud" crowd.

1Password

  • Commercial, polished, cloud-only (no self-host). Two-factor KDF: master password + a 128-bit Secret Key — the mainstream product whose security model is closest in spirit to Relicario's (two factors into the key derivation).
  • Strong on: best-in-class UX, mobile, autofill, family/team sharing, support.
  • Relevant because it proves the two-factor-KDF idea is marketable — but it does it with a boring random Secret Key, not steganography, and gives up self-host.

Proton Pass

  • Newer, from Proton (Mail/VPN); privacy-positioned, cloud, freemium, open-source clients. Single-factor KDF; leans on brand trust and the Proton bundle.
  • Relevant as the "privacy brand" competitor — it wins on trust + ecosystem, not on a novel crypto model.

LastPass (cautionary tale, not a competitor to chase)

  • Repeated breaches (notably 2022) where exfiltrated vaults were only as strong as users' master passwords — the canonical argument for a second KDF factor.
  • Useful in positioning: Relicario's README already uses LastPass as the "~4060 bits, single factor" baseline. The market lesson is real and on Relicario's side, but invoking it is marketing, not differentiation.

Where Relicario can win (the honest version)

  • Server-sees-only-ciphertext + no metadata against a self-host backend that still stores structured data. This is a genuine, explainable edge over vaultwarden for the threat-model-literate user.
  • Two factors into the KDF (not just 2FA on login) — only 1Password really matches this, and it isn't self-hostable. That intersection (two-factor KDF + self-host) is close to empty. That's the wedge.
  • Git as audit log — "when was this rotated?" answered by git log and field history. Niche, but unique and real for the audit-conscious user.

Where Relicario is behind (table stakes to be honest about)

  • Mobile. Bitwarden/1Password/Proton all have first-class mobile apps with autofill. Relicario is CLI + browser extension; the Rust core compiles to ARM but there's no shipped mobile client. For most users this alone is disqualifying — weigh it heavily.
  • Autofill quality & breadth. Browser-extension autofill maturity is a moat the incumbents have spent years on.
  • Frictionless import from the incumbents (Bitwarden, 1Password) — LastPass CSV exists; the others are on the roadmap. Import friction is a real adoption tax.
  • Sharing / multi-user polish. The org-vault track is new; incumbents have mature org/family sharing.

The uncomfortable question to keep asking

For a user who wants self-hosted secrets, vaultwarden already exists and is turnkey with great clients. Every Relicario feature should be weighed against: "does this widen the gap on the thesis (two-factor KDF, no-metadata, git audit), or is it just trying to catch up to vaultwarden on table stakes I'll never win?" The strategy lens should treat catching up to vaultwarden's client polish and deepening the unique thesis as different bets with very different ROI.

Reference in New Issue View Git Blame Copy Permalink