Dosu Logo
Home
Documents
opnDossier Product Requirements
opnDossier Product Requirements
Type
External
Status
Published
Created
Apr 19, 2026
Updated
Apr 19, 2026
Source
View
Product overview
📅 Target datev2.0 (Q2 2026) — open; v1.4.x bugfix train ongoing
🟡 Document statusDRAFT
👟 Team members@712020:58799a58-ec6f-4bd7-913b-1a50e01fd99f
Quick links
🗂 Work trackerJira NATS project, GitHub issues, Roadmap
📦 Repohttps://github.com/EvilBit-Labs/opnDossier
📝 Source specsproject_spec/requirements.md, project_spec/user_stories.md, project_spec/tasks.md, docs/plans/
🎨 DesignsN/A (CLI product)
🎥 Loom demoTBD

🎯 Objective#

opnDossier is a CLI tool that turns OPNsense and pfSense firewall configurations into readable documentation and security findings, fully offline. It is the flagship product of EvilBit Labs' Network Analysis suite and the near-term revenue focus of the company. The commercial positioning is "affordable RedSeal for operators" — offering RedSeal-class insight without RedSeal-class cost or deployment complexity.
Strategically the product ships as an open core: the community edition stays free and universal (multi-platform parsing, documentation conversion, baseline security analysis), while STIG/SANS/NIST compliance plugins, PDF reports, SIEM integration, and a desktop app move to the Professional tier. The OSS edition is what builds operator trust and developer credibility; the Pro tier is what funds the company.

📊 Success metrics#

GoalMetric
Become the default tool operators reach for on OPNsense/pfSense configsGitHub stars > 500; weekly binary downloads > 200; 5+ blog/conference mentions by end of 2026
Ship v2.0 with programmatic report generation30–50% faster report generation vs v1.x templates; binary size reduced by ≥10%; zero template execution paths remaining
Expand beyond OPNsensepfSense parser shipped in v1.5; 2+ additional platforms in public beta by end of 2026
Reach Pro-tier MVPLicensed feature separation landed; STIG plugin migrated to Pro; first paying customer in H2 2026
Maintain quality barTest coverage ≥ 85% in v2.0; zero dangerouslySkip or --no-verify paths; just ci-check green on every merge
Earn operator trustZero network calls verified in CI; reproducible builds with SBOM + signed binaries; ≥3 security-audit-friendly changelog entries per release

🤔 Assumptions#

  • Operators will accept a CLI as the primary interface. A GUI is deferred to the Professional tier and not required for adoption.
  • Offline / airgap operation is a hard requirement, not a preference. The tool cannot phone home, emit telemetry, or depend on cloud services at runtime or build time.
  • Users trust a tool they can audit. Every binary ships with an SBOM, all dependencies are pinned, and the codebase favors explicit Go over reflection or codegen.
  • The market gap is real. RedSeal serves enterprise budgets; pfFocus and similar OSS tools are unmaintained or Python-heavy. A modern Go tool with commercial polish wins operators who need something in between.
  • Go 1.21+ is available everywhere we deploy. No CGO, no dynamic linking — we ship a single static binary per platform.
  • Compliance plugin architecture can support future standards (PCI-DSS, NIST 800-53, CIS) without breaking existing consumers. The plugin interface is stable as of v1.2.

🌟 Milestones#

Aligned with docs/roadmap.md and docs/plans/backlog-order-of-operations.md:

ReleaseThemeTargetKey deliverables
v1.4.xPerformance + cleanupShipped 2026-04-03Hash-based dedup (NATS-7); template migration residuals (NATS-6)
v1.5pfSense parser + shared model moduleQ2 2026pfSense schema complete; NATS-3 ships evilbitlabs-network-model Go module; multi-vendor parser registry solidified
v2.0Programmatic generation, plugin hardeningQ3 2026No template execution paths (done); audit plugin interface refactors (NATS-134, NATS-135, NATS-136); blue/red mode completion (NATS-32)
Pro MVPOpen-core separation + licensingQ3 2026License key signing (NATS-101); STIG migrated to Pro (NATS-82, NATS-90); PDF/SARIF/SIEM outputs (NATS-98); first paying customer
Compliance expansionPCI-DSS, NIST, CISQ4 2026PCI Req 1 (NATS-4); custom rule engine (NATS-5, NATS-96); structured remediation (NATS-22)
FutureMulti-platform, topology, desktop2027Cisco ASA, Fortinet, Palo Alto parsers; Mermaid/Graphviz topology output; Wails desktop app

📝 Requirements#

Curated high-level requirements from project_spec/requirements.md (F001–F026) and project_spec/user_stories.md (US-001–US-048). Full requirement IDs remain canonical in the source files.

RequirementUser StoryImportanceJira IssueNotes
Parse OPNsense and pfSense config.xml with schema validation; emit actionable line/column error messages on malformed inputUS-001, US-002: operator parses configs offline; auditor gets actionable errors on bad XMLHIGHShipped in v1.0 (OPNsense); pfSense in v1.5Implemented via pkg/parser registry. Multi-vendor support via parser.Factory.
Convert parsed config to Markdown, JSON, YAML, plain text, or HTML with configuration hierarchy preservedUS-003, US-005: admin produces readable docs; docs team exports to filesHIGHShipped in v1.0; programmatic gen in v2.0convert command. Programmatic generation via NATS-6 replaces templates for performance/maintainability.
Operate completely offline with zero external dependencies, zero telemetry, no network calls at runtimeUS-007, US-008, US-025: airgap operators; compliance auditors; sensitive-environment useHIGHShipped + CI-enforcedVerified via CI net-block tests. Hard product tenet.
Display configs in terminal with syntax highlighting, light/dark theme detection, graceful fallback for non-color terminalsUS-004, US-043, US-044: admins reading configs; operators on varied terminal envsMEDIUMShipped in v1.0display command. glamour for Markdown rendering, lipgloss for theming. TERM=dumb fallback.
Audit configs in blue-team mode (defensive findings with severity + remediation) and red-team mode (attack-surface enumeration)US-046, US-047: red-team recon; blue-team defensive auditHIGHNATS-32 (blue/red completion), NATS-22 (remediation)audit command. Blue mode runs compliance plugins. Red mode currently stubbed (per GOTCHAS.md §8.4) pending completion.
Plugin-based compliance architecture: standardized interface, dynamic registration, lifecycle management, per-plugin configF022 derived; no direct US (infrastructure requirement)HIGHNATS-134, NATS-135, NATS-136Cybersecurity Best Practices + SANS + STIG plugins shipped. Hardening refactors in progress. STIG moving to Pro.
Configuration precedence: CLI flags > env vars (OPNDOSSIER_*) > YAML config > defaultsUS-012, US-013, US-014: team environments; sensitive-option handling; runtime overridesMEDIUMShipped in v1.0Viper-backed. Tested across all commands.
Data sanitization: redact sensitive values (passwords, API keys, SNMP communities, private keys) for safe sharingUS-026, US-027: auditor must not leak config; compliance teams sharing configs externallyHIGHShipped in v1.2sanitize command. Covers bcrypt/sha512 hashes, LDAP bind passwords, TLS private keys. Continuously expanded.
Configuration diff: compare two configs side-by-side with semantic change detectionImplicit in operator workflows (not in US-*)MEDIUMShipped in v1.2diff command. Semantic change categorization.
Cross-platform binaries: Linux, macOS, Windows (amd64 + arm64); signed + SBOM-attachedUS-028, US-029, US-031, US-032: cross-platform ops; containers; static binariesHIGHShipped + automated via GoReleasermacOS notarization wired. Scoop Windows manager planned (NATS-79).
Pro tier: license-key validation, feature gating, STIG plugin, PDF/SARIF/SIEM outputs, structured remediationN/A (commercial tier)HIGHNATS-101, NATS-82, NATS-90, NATS-98Open-core separation. Ed25519-signed licenses. Pro repo separate from OSS.
Test coverage ≥ 80% community edition (≥ 85% in v2.0); just ci-check green on every merge; race detector cleanUS-020, US-021, US-033: developer trust; production reliability; quality enforcementHIGHEnforced via CI gatesPer AGENTS.md code quality policy: zero tolerance for tech debt.

⚠️ Out of Scope#

  • Real-time firewall configuration management or live device control. opnDossier reads config.xml files; it does not push config to devices or integrate with live firewall APIs.
  • GUI or web interface in the community edition. A native desktop app via Wails is a Professional-tier roadmap item, not a v2.0 commitment.
  • Telemetry, analytics, or any form of phone-home. This is a hard product tenet, not a feature toggle.
  • Configuration backup/restore or config generation. opnDossier analyzes existing configs; it does not create new ones. The sister project OPNsense-config-faker handles synthetic config generation.
  • Custom template engine for report output. Templates were fully removed in NATS-6 for v2.0; extensibility is via Go code (exported ReportBuilder interface), not text templates.
  • Platform coverage beyond the published roadmap. Parsers for Cisco/Fortinet/Palo Alto/Juniper/MikroTik/Ubiquiti are planned but each is a significant engineering lift; they ship when they're ready, not to a date.
  • Cloud or SaaS deployment of opnDossier itself. The product is a single static binary. A hypothetical hosted service is not on the roadmap.

🎨 Design#

  • System architecture: docs/development/architecture.md + docs/architecture-diagram.mmd (Mermaid source).
  • Data flow: config.xmlpkg/parser (vendor-specific) → pkg/model.CommonDevice (vendor-neutral) → internal/enrichmentinternal/converter (output format) → file or stdout.
  • Compliance pipeline: CommonDeviceaudit.PluginManager → per-plugin RunChecks()audit.Report → mode-specific renderer (blue/red).
  • Plugin registry: dynamic .so loading opt-in via --plugin-dir; bundled plugins (Cybersecurity Best Practices, SANS, STIG) registered at init() time.

❓ Open questions#

QuestionAnswerDate Answered
What is the committed target date for v2.0?TBD — gated on programmatic generation parity testing (NATS-18) and plugin interface hardening (NATS-134NATS-136)
Which compliance framework ships first in the Pro tier: PCI-DSS Req 1 or CIS Benchmark?PCI-DSS Req 1 (NATS-4) is scoped; CIS is roadmap-only. Prioritization depends on early customer demand.
Does the Pro tier require a separate repo clone, or is it a license-unlocked build from the same codebase?Current plan: separate opnDossier-pro repo with open repo as a Go module dependency. Revisit if build complexity becomes a distribution blocker.
What is the deprecation policy for the OSS STIG plugin once it moves to Pro?TBD — options: keep it frozen at the last OSS version; remove entirely; transition window with notice.
How do we validate pfSense coverage parity before committing to "multi-vendor"?Golden-file testing against real customer configs (anonymized). Need a PRD follow-up on test corpus acquisition.

🗂 Reference Links#

Source specifications

  • project_spec/requirements.md — F001-F026 functional requirements + tech stack + architecture
  • project_spec/user_stories.md — US-001 through US-048 in EARS format
  • project_spec/tasks.md — release roadmap v1.0 through v2.0 with task-level status
  • docs/plans/backlog-order-of-operations.md — sequenced execution plan with story points and epic assignments
  • docs/plans/*.md — in-flight architectural plans (reportbuilder split, parser registry, DecodeDocument elimination, Kea DHCP model, template removal)
  • AGENTS.md — code quality policy, mandatory practices, code review checklist
  • GOTCHAS.md — non-obvious behaviors and hard-won lessons (plugin architecture, CLI flag wiring, sanitizer ordering, etc.)
    Public documentation
  • README — product overview, installation, quick start
  • docs/roadmap.md — public roadmap
  • docs/compliance-standards.md — compliance framework coverage
  • docs/development/architecture.md — architecture reference
    Related
  • pfFocus — the Python-based config.xml parser that inspired this project
  • OPNsense-config-faker — Rust-based config generator (sister project for test fixtures)
  • EvilBit Threat Manager — sibling product in the Network Analysis suite
opnDossier Product Requirements | Dosu