opnDossier Backlog Order of Operations#
Source: docs/plans/backlog-order-of-operations.md in the opnDossier repo
Velocity assumption: ~6 SP/week (historical)
Last sourced: 2026-04-02 from repo; SPs applied to Jira on 2026-04-16 (see opnDossier Product Requirements and opnDossier Pro Product Requirements)
How to read this#
Issues are prefixed by repo: open = EvilBit-Labs/opnDossier, pro = EvilBit-Labs/opnDossier-pro. Epics live in opnDossier-pro as the internal execution layer.
Groups are ordered for sequential burn-down. Items within a group may run in parallel unless explicitly noted as sequential.
Context: how this connects to the product#
Product Backlog#
Burn through in order. Each group is backed by an epic in opnDossier-pro with a task-list tracking progress.
1. Cleanup & Quick Wins — pro#63 (17 SP, ~3 weeks)#
Small refactors, performance fixes, and architecture cleanup.
| # | Repo | SP | Title |
|---|
| 511 | open | 1 | refactor(audit): consolidate inventory finding type into shared constant |
| 457 | open | 2 | refactor(cli): remove dead audit plumbing from convert command |
| 286 | open | 3 | perf(analysis): replace O(n²) duplicate rule detection with hash-based O(n) approach |
| 288 | open | 1 | perf(converter): cache EffectiveAddress() results for NAT rules during conversion |
| 455 | open | 2 | feat(plugin): populate Finding.Control field from control ID in all compliance plugins |
| 447 | open | 2 | refactor(audit): clarify directory-level vs per-plugin error distinction in InitializePlugins |
| 446 | open | 3 | refactor(audit): eliminate temporal coupling between SetPluginDir and InitializePlugins |
| 380 | open | 3 | feat(cli): Expose missing CLI flags via environment variables and config file |
2. Open-Core Separation — pro#64 (11 SP, ~2 weeks)#
These must happen together — STIG moves from open to pro.
| # | Repo | SP | Title |
|---|
| 389 | open | 3 | Remove STIG plugin from open repo (migrate to pro) |
| 32 | pro | 5 | Open Core Separation (STIG to Pro) |
| 9 | pro | 3 | P3-1: Migrate STIG compliance plugin from open repo |
3. Compliance Engine Expansion — pro#65 (32 SP, ~5.5 weeks)#
Model fields that feed compliance controls, plugin expansion, and manual validation docs. Batch these — each is small, and they compound.
| # | Repo | SP | Title |
|---|
| 499 | open | 1 | feat(model): add MaximumStates to CommonDevice (FIREWALL-035) |
| 496 | open | 2 | feat(model): add WebGUI fields to CommonDevice for compliance controls |
| 497 | open | 2 | feat(model): add login protection config to CommonDevice (FIREWALL-015) |
| 498 | open | 3 | feat(model): add AuthServer (LDAP/RADIUS) config to CommonDevice (FIREWALL-019) |
| 500 | open | 3 | feat(model): add certificate analysis fields for expiry and key length (FIREWALL-037, -038) |
| 501 | open | 2 | feat(model): add UPnP/NAT-PMP config to CommonDevice (FIREWALL-057) |
| 502 | open | 2 | feat(model): add Unbound interface binding to CommonDevice (FIREWALL-059) |
| 503 | open | 3 | feat(model): add config revision tracking to CommonDevice (FIREWALL-060) |
| 508 | open | 2 | feat(compliance): add optional Href field to Control for linking control IDs to documentation |
| 306 | open | 3 | feat(schema): parse OPNsense Unbound MVC model for DNS rebind and advanced settings |
| 512 | open | 5 | feat(plugin): add VPN, NTP, syslog, and certificate inventory controls |
| 504 | open | 1 | docs(plugin): add manual validation guidance for SSH banner check (FIREWALL-001) |
| 505 | open | 1 | docs(plugin): add manual validation guidance for MOTD check (FIREWALL-003) |
| 506 | open | 1 | docs(plugin): add manual validation guidance for vulnerability testing (SANS-FW-010) |
| 507 | open | 1 | docs(plugin): add manual validation guidance for security policy compliance (SANS-FW-011) |
4. Blue/Red Mode Completion — pro#66 (8 SP, ~1.5 weeks)#
| # | Repo | SP | Title |
|---|
| 281 | open | 8 | feat(audit): complete blue and red audit mode implementations |
| # | Repo | SP | Title |
|---|
| 285 | open | 3 | perf(processor): remove unnecessary mutex serialization in CoreProcessor |
| 289 | open | 2 | perf(converter): memoize statistics and analysis computation for multi-format exports |
| 291 | open | 3 | perf: reduce allocations in hot paths (table building, slice/map pre-allocation) |
| 292 | open | 3 | ci(benchmarks): expand benchmark coverage and add profiling tooling |
| 297 | open | 5 | test: fill unit-test coverage gaps in converter services, parser, and analysis packages |
| 482 | open | 1 | (question): github action support? |
6. Pro Scaffold & Licensing — pro#18 (20 SP, ~3.5 weeks)#
Sequential dependency chain. Must be done in this order.
| # | Repo | SP | Title |
|---|
| 2 | pro | 2 | P2-1: Initialize Go module with open repo dependency |
| 3 | pro | 3 | P2-2: Establish Ed25519 Keypair Infrastructure for License Signing & Validation |
| 4 | pro | 5 | P2-3: Implement license validation package |
| 5 | pro | 3 | P2-4: Build license generation CLI tool (internal) |
| 6 | pro | 3 | P2-5: Implement conditional feature registration |
| 7 | pro | 2 | P2-6: Set up GoReleaser config for opndossier-pro |
| 8 | pro | 2 | P2-7: End-to-end validation gate |
7. Pro MVP & Release — pro#19 (16 SP, ~2.5 weeks)#
| # | Repo | SP | Title |
|---|
| 10 | pro | 5 | P3-2: Implement structured remediation guidance |
| 11 | pro | 3 | P3-3: MVP integration testing |
| 13 | pro | 5 | P4-2: Pro documentation |
| 14 | pro | 3 | P4-3: First Pro release checklist (v1.0.0-pro) |
8. CLI & Distribution Polish — pro#68 (13 SP, ~2 weeks)#
| # | Repo | SP | Title |
|---|
| 517 | open | 2 | feat(display): add --pager flag for built-in pager support |
| 375 | open | 2 | feat(build): Add Scoop Package Manager Support for Windows via GoReleaser |
| 221 | open | 3 | Add pfFocus-compatible output format/template |
| 283 | open | 3 | refactor(cmd): extract shared ProcessFile helper to eliminate duplicated boilerplate |
| 27 | pro | 3 | CLI Polish & Distribution |
9. Compliance Expansion — pro#69 (29 SP, ~5 weeks)#
| # | Repo | SP | Title |
|---|
| 204 | open | 8 | feat(compliance): Implement PCI-DSS Requirement 1 firewall configuration checks |
| 31 | pro | 8 | Cybersecurity Best Practices Scanning (OPNsense) |
| 62 | pro | 13 | Implement Compliance Scanning Integration as Premium Feature |
10. Audit Features — pro#70 (15 SP, ~2.5 weeks)#
| # | Repo | SP | Title |
|---|
| 206 | open | 5 | feat(audit): Add structured remediation guidance to compliance findings |
| 202 | open | 5 | Firewall rule shadowing detection |
| 203 | open | 5 | Unused object detection |
| # | Repo | SP | Title |
|---|
| 209 | open | 5 | Add SARIF export format for CI/CD security integration |
| 35 | pro | 5 | Professional Report Output |
| 208 | open | 5 | Add SIEM export formats (CEF/LEEF/JSONL) for audit findings integration |
12. Go-to-Market — pro#26 (24 SP, ~4 weeks)#
| # | Repo | SP | Title |
|---|
| 40 | pro | 5 | opnDossier Landing Page |
| 39 | pro | 2 | Pro Tier Pricing & Packaging |
| 38 | pro | 8 | License Key System & Payment |
| 41 | pro | 3 | Community Seeding |
| 43 | pro | 3 | Email Nurture for Pro Interest List |
| 44 | pro | 3 | Case Study / Use Case Content |
13. Polish & Tech Debt — pro#72 (39 SP, ~6.5 weeks)#
| # | Repo | SP | Title |
|---|
| 378 | open | 5 | feat(sanitizer): Add --unsanitize flag for bidirectional sanitization round-trips |
| 282 | open | 5 | refactor(model): eliminate re-export layer — migrate 93 type aliases to direct schema imports |
| 469 | open | 3 | Add Interactive Terminal Demos (VHS Tapes) to Feature Documentation |
| 30 | pro | 3 | Audit Mode Stabilization |
| 45 | pro | 3 | CLI Polish & Distribution |
| 54 | pro | 3 | Tech Debt / Performance / Maintenance |
| 55 | pro | 3 | Performance |
| 56 | pro | 3 | Refactoring / Tech Debt |
| 57 | pro | 3 | Schema / Parsing Enhancements |
| 12 | pro | 8 | P4-1: Sales infrastructure |
| 42 | pro | 5 | Content Pipeline Setup |
| 29 | pro | 8 | pfSense Configuration Support — Pro Integration Tracking |
Product Backlog Total: ~246 SP (~41 weeks at 6 SP/week)
Icebox#
Parked for later. Re-evaluate quarterly or when strategic priorities shift.
| # | Repo | SP | Title | Why iceboxed |
|---|
| 211 | open | 21 | TUI: Interactive Terminal Interface | v2.0 scope |
| 213 | open | 21 | Build Web UI with Local Server Mode | v2.0 scope |
| 50 | pro | 21 | opnDossier Desktop App (Wails) | v2.0+ scope |
| 53 | pro | 21 | Enterprise Server | v2.0+ scope |
Multi-Vendor Parser Support#
| # | Repo | SP | Title | Why iceboxed |
|---|
| 198 | open | 13 | Add Cisco ASA firewall configuration parser | Needs architecture first |
| 199 | open | 13 | Add Fortinet FortiGate configuration parser | Needs architecture first |
| 51 | pro | 13 | Additional Firewall Parsers (Cisco ASA, Fortinet) | Needs architecture first |
Advanced Features#
| # | Repo | SP | Title | Why iceboxed |
|---|
| 205 | open | 13 | Implement custom rule engine for org-specific compliance policies | Large scope, pro first |
| 201 | open | 8 | Configuration drift detection and baseline management | Nice-to-have |
| 212 | open | 8 | File system watch mode for continuous monitoring | Nice-to-have |
| 207 | open | 8 | Professional PDF report generation | Depends on report architecture |
| 33 | pro | 13 | Custom Compliance Rules Engine | Large scope |
| 34 | pro | 8 | Additional Compliance Frameworks | After PCI-DSS ships |
| 36 | pro | 5 | Red/Blue Dual-Output Reports | After blue/red modes stable |
| 37 | pro | 5 | SIEM Export Formats | After open SIEM export |
| 47 | pro | 5 | Config Conversion (Unique Differentiator) | Future differentiator |
| 48 | pro | 8 | Config Converter (config-faker reimagined) | Future differentiator |
| 52 | pro | 8 | Topology Mapping | Speculative |
| 58 | pro | 5 | Monitoring / Operations | After enterprise server |
Architecture & Tech Debt#
| # | Repo | SP | Title | Why iceboxed |
|---|
| 152 | open | 8 | Full cleanup to programmatically Go-based templates | Overlaps with #154 |
| 154 | open | 8 | Complete Template System Migration and Removal for v2.0 | v2.0 scope (NATS-6 — now Done) |
| 157 | open | 8 | Create shared evilbitlabs-network-model Go module | Blocked by multi-vendor decision |
Documentation & Content#
| # | Repo | SP | Title | Why iceboxed |
|---|
| 195 | open | 5 | Enhance end-user documentation in mkdocs site | Blocked by mkdocs/Zensical decision |
| 374 | open | 5 | Migrate from MkDocs to Zensical static site generator | Low urgency |
Icebox Total: ~271 SP
Grand Total (all open issues): ~517 SP
Closed Epics (replaced by this structure)#
| # | Old Title | Replaced by |
|---|
| 22 | Multi-Platform Firewall Architecture | Iceboxed |
| 23 | Compliance & Security Audit Engine | pro#65, pro#66, pro#69 |
| 24 | Professional Reporting & Output | pro#71 |
| 25 | Open Core Infrastructure & Monetization | pro#64, pro#26 |
| 28 | Multi-Platform Architecture Foundation | Iceboxed |
| 49 | Desktop & Enterprise Platform | Iceboxed |
Staleness notes for readers#
- Krystal is no longer an owner of EvilBit Labs; Ken is solo operator. Any reference to GTM or ops work being split with Krystal in the source doc is outdated — all GTM work sits with Ken.
- Group 13 issue #154 (NATS-6 — Template System Migration) was completed on 2026-04-16 and no longer belongs in the backlog. It's retained in this copy for historical mapping but should be struck through in the source doc on next refresh.
- Group 1 issue #286 (NATS-7 — O(n²) dedup) was completed on 2026-04-15. Same treatment.
- NATS ticket keys for most groups were assigned during the 2026-04-11 bulk Jira import and annotated with SPs on 2026-04-16. See the opnDossier PRDs for Jira-side context.
This page is a snapshot. The source document in the repo is authoritative; propose edits there first, then refresh this page.
