Community Edition Framing#

Lead Section#

Community Edition Framing is the comprehensive positioning strategy for the opnDossier open-core firewall configuration analyzer that governs how the free (community) and paid (Professional/Enterprise/Gov-IC) editions are presented in all user-facing content. The framework ensures the community edition is consistently positioned as a complete, production-ready product rather than a limited preview or freemium teaser, while Pro tiers are framed as additive features for specialized organizational needs.

The strategy emerged from explicit maintainer guidance during public product roadmap development in March 2026 and serves as the authoritative reference for maintaining open-source credibility while building sustainable commercial revenue. It applies to all documentation (README, user guides, API docs), CLI help text, roadmap communications, pull request descriptions, marketing content, and landing pages.

The core architectural principle — "all platform parsers are free and open source forever" — establishes that opnDossier becomes the universal firewall configuration parser across OPNsense, pfSense, Cisco, Fortinet, Palo Alto, Juniper, MikroTik, and Ubiquiti ecosystems. Revenue derives from what users do with parsed data (topology mapping, compliance reporting, team collaboration), not which platforms they can parse.

Core Principles#

Complete Production-Ready Community Edition#

The community edition must be positioned as "genuinely complete" to maintain open-source credibility and avoid community backlash. This means:

Always Free Features (source):

• All platform parsers (OPNsense, pfSense, Cisco ASA/IOS, Fortinet FortiGate, Palo Alto, Juniper, MikroTik, Ubiquiti)
• Single-config security analysis with vulnerability detection and dead rule detection
• Multi-format export (Markdown, JSON, YAML, text, HTML)
• Firewall best practices checks (platform-specific)
• SANS/NSA security checks
• Complete offline operation with zero telemetry

Positioning Language:

• ✅ DO: "Community edition provides complete firewall analysis for individual operators and small teams"
• ✅ DO: "All platform parsers remain free and open source forever"
• ✅ DO: "Pro adds specialized features for government compliance, multi-device topology, and team collaboration"
• ❌ DON'T: "Community edition is limited to basic features"
• ❌ DON'T: "Upgrade to Pro for full functionality"
• ❌ DON'T: "Community is a trial version" or "freemium tier"

Pro as Additive for Specialized Needs#

Professional, Enterprise, and Gov/IC tiers (pricing structure) provide features for organizations with specialized requirements, not for users who "need more" basic functionality.

Professional Tier (detailed features):

• DISA STIG compliance checks and remediation guidance (government-focused)
• Red/blue dual-output reports (red team attack surface + blue team defensive analysis)
• Topology mapping (Mermaid/Graphviz/JSON) for multi-device networks
• Desktop app (Wails) with local analysis history
• PDF report generation and SARIF export for CI/CD

Enterprise Tier (organizational features):

• Multi-user server deployment with shared analysis history
• Custom rule authoring engine for organizational policies
• API access and compliance cross-referencing (PCI-DSS, SOC 2, ISO 27001, NIST 800-53)
• Config drift detection and centralized repository

Gov/IC Tier (airgap-specific):

• Offline license validation for airgapped environments (zero-connectivity)
• Source-available access for security review
• Custom compliance framework mapping and self-certification procedures

Positioning Language:

• ✅ DO: "Professional adds STIG compliance for government contractors"
• ✅ DO: "Enterprise provides multi-user collaboration for security teams"
• ✅ DO: "Gov/IC supports airgapped environments with offline licensing"
• ❌ DON'T: "Community is missing critical features"
• ❌ DON'T: "Pro unlocks the full product"
• ❌ DON'T: Imply community edition is insufficient for production use

The "All Parsers Free" Differentiator#

The core product strategy positions opnDossier against enterprise competitors (RedSeal, Tufin, AlgoSec, Titania Nipper) that charge $3K-$25K+/year and exclude small/mid-size organizations. The "all parsers free" principle creates a sustainable competitive advantage:

1. Drives adoption: Free access to every platform parser builds a universal user base across all firewall ecosystems
2. Creates switching costs: Users invest in opnDossier workflows knowing platform support won't be paywalled
3. Natural upgrade path: Organizations using free edition grow into Pro needs organically (topology, compliance, collaboration)
4. Community credibility: Open parser code builds trust and enables security review

Positioning Language:

• ✅ DO: "opnDossier is the universal firewall configuration parser — all platforms, always free"
• ✅ DO: "Professional pricing starts at $99-299/year compared to enterprise tools at $50K+"
• ✅ DO: "We charge for what you do with parsed data, not which platforms you support"
• ❌ DON'T: "Additional platforms available in Pro edition"
• ❌ DON'T: "Unlock more device support with Enterprise"

Implementation Status and Timeline#

Current Status (March 2026)#

As of March 2026, the community/Pro split is planned but not yet implemented:

• opnDossier v1.3.0 (community edition) is the current production release
• opnDossier-pro repository exists but contains only a minimal wrapper importing the community edition as a Go module
• No licensing mechanisms, feature gating, or Pro-exclusive features are implemented
• STIG plugin remains in the open-source repository and will migrate to Pro after licensing infrastructure is complete

Phased Rollout Plan#

The launch sequence defines a four-phase approach to protect open-source credibility while transitioning to commercial model:

Phase A (Completed): Ship v1.3.0 with no Pro mention

• Architectural improvements (CommonDevice abstraction, DeviceParser registry, public APIs)
• Standard release notes emphasizing extensibility
• Zero mention of Pro or commercial plans in user-facing content

Phase B: Announce open-core direction

• Blog post explaining sustainability rationale
• GitHub Discussion and Reddit posts (r/OPNsense, r/PFSENSE, r/homelab, r/netsec)
• Update README with open-core mention following framing guidelines

Phase C: Soft launch with demo licenses

• 14-day Professional trial licenses available
• Community feedback collection
• License flow validation

Phase D: Commercial launch

• Professional tier sales live via Stripe
• Enterprise/Gov-IC as "contact us"
• Product website with tier comparison following framing guidelines

Estimated Timeline: 2-4 months from v1.3.0 to first sale

Application Scope#

Required User-Facing Content#

Community Edition Framing applies to all content visible to users, contributors, or customers:

Documentation Files (identified locations):

• README.md (primary entry point, 365 lines)
• docs/index.md (documentation landing page)
• docs/user-guide/getting-started.md (first-run tutorial)
• docs/user-guide/installation.md (339 lines covering all installation methods)
• docs/about.md (project philosophy and principles)
• Feature-specific guides (security-scoring, compliance, workflows)

CLI Interface (command implementations):

• cmd/root.go (main CLI description in --help output)
• cmd/convert.go (extensive help text with examples)
• All command Long fields in Cobra definitions (displayed in --help)

Marketing and Launch Content:

• Product website landing page
• Tier comparison page and pricing page
• Blog posts and announcements
• Reddit/HN "Show HN" posts
• Newsletter content (ZeroDay Field Notes, EvilBit Threat Digest)

Development Communications:

• Roadmap documents (docs/roadmap.md when created)
• GitHub release notes
• Pull request descriptions mentioning features
• Issue templates and discussions

Exempted Internal Content#

These files do not require edition framing:

• SECURITY.md (security policy, procedural)
• CHANGELOG.md (release history, factual)
• LICENSE files (legal text)
• Test files and test documentation
• CI/CD configuration files
• Internal architecture documentation (unless publicly linked)

Messaging Guidelines by Content Type#

README and Landing Pages#

Feature Overview Sections:

## Features

opnDossier provides complete firewall configuration analysis:

- **Universal Platform Support**: OPNsense, pfSense, Cisco, Fortinet, Palo Alto, Juniper, MikroTik, Ubiquiti — all parsers free forever
- **Security Analysis**: Vulnerability detection, dead rule identification, attack surface mapping
- **Compliance Checking**: SANS/NSA best practices, firewall-specific baselines
- **Multi-Format Export**: Markdown, JSON, YAML, text, HTML output

### Professional Edition

For organizations requiring government compliance, multi-device topology, or team collaboration:

- DISA STIG compliance and remediation guidance
- Red/blue dual-output reports
- Topology mapping and attack path analysis
- Desktop app with analysis history
- PDF/SARIF export for CI/CD integration

[Compare editions →](link) | [Try Professional free for 14 days →](link)

Installation Sections:

## Installation

### Community Edition (Free)

Download pre-built binaries for all platforms:
[installation instructions...]

### Professional Edition

1. Download opndossier-pro binary
2. Purchase license ($99-299/year)
3. Activate with `opndossier-pro license activate`

[Learn more about Pro features →](link)

CLI Help Text#

Command help text embedded in code should focus on functionality without heavy edition marketing:

Long: `Convert OPNsense configuration files to multiple output formats.

Supports Markdown, JSON, YAML, text, and HTML output with security analysis,
dead rule detection, and compliance checking included in all editions.

Professional edition adds STIG compliance, topology mapping, and red/blue reports.`,

Roadmap and Release Notes#

Roadmap Structure:

## v2.0 Roadmap

### Community Edition
- Parser registry system
- Config drift detection
- Custom rule engine (YAML-defined organizational policies)
- PCI-DSS compliance checks

### Professional Edition
- STIG compliance migration (from community to Pro)
- Topology mapping with Mermaid/Graphviz export
- Red/blue dual-output reports
- Desktop app (Wails) with local history

### Enterprise Edition
- Multi-user server deployment
- Shared analysis history
- Custom rule authoring
- API access

Release Notes should state facts without diminishing community edition:

## v2.0.0

### Community Edition
- Added parser registry system (#302)
- Implemented config drift detection
- Enhanced PCI-DSS compliance checks

### Professional Edition (New)
- Introduced STIG compliance plugin with remediation guidance
- Added topology mapping (Mermaid/Graphviz/JSON)
- Released desktop app with local analysis history

Pull Request Descriptions#

When features affect edition split:

## Summary
Implements topology mapping for multi-device network visualization.

## Edition Impact
- **Community Edition**: No changes
- **Professional Edition**: Adds `--topology` flag with Mermaid/Graphviz output

## Rationale
Topology mapping requires cross-device analysis and is scoped for Professional
tier per [product strategy](link). All single-device analysis remains in
community edition.

The STIG Migration Case Study#

The STIG compliance plugin migration is the only feature being removed from community edition and serves as the reference implementation for communicating breaking changes:

Background#

STIG plugin currently exists in open-source repository at internal/plugins/stig/ implementing four DISA STIG controls:

• V-206694: Default deny policy enforcement
• V-206674: Packet filtering specificity requirements
• V-206690: Unnecessary services disabled verification
• V-206682: Comprehensive logging enforcement

Migration planned after Phase 2 licensing infrastructure is complete. It is the only breaking change planned for community edition.

Correct Messaging#

Announcement Post:

## Open Core Model: What's Changing

opnDossier is adopting an open-core model to ensure long-term sustainability.

### What's Staying Free (and Getting Better)
- All platform parsers (OPNsense, pfSense, Cisco, Fortinet, Palo Alto, Juniper, MikroTik, Ubiquiti)
- Security analysis, dead rule detection, vulnerability identification
- SANS/NSA compliance checks
- Multi-format export (Markdown, JSON, YAML, text, HTML)
- Complete offline operation, zero telemetry

The community edition is production-ready and complete for individual operators.

### What's Going Pro
- **DISA STIG compliance checks** (government contractors, DoD environments)
- Topology mapping (multi-device networks)
- Red/blue dual-output reports (specialized analysis)
- Desktop app with analysis history
- PDF/SARIF export for CI/CD

### Why STIG is Moving
STIG compliance serves a specific market (government contractors and DoD
environments) requiring specialized features. SANS/NSA checks remain free
and cover general firewall security best practices.

Professional pricing: $99-299/year (vs. $50K+ for enterprise alternatives)

CHANGELOG Entry:

## v2.0.0 - BREAKING CHANGES

### Removed from Community Edition
- STIG compliance plugin (moved to Professional edition)

### Migration Path
- Users requiring STIG compliance: Upgrade to Professional edition
- General security auditing: Use SANS/NSA plugins (remain free)
- Government contractors: 14-day Pro trial available

### Rationale
STIG compliance targets specialized government/DoD requirements. All general
firewall security analysis remains in community edition.

Incorrect Messaging to Avoid#

❌ "STIG features now require paid upgrade for full security compliance"
→ Implies community edition is incomplete or insecure

❌ "Community edition limited to basic compliance checks"
→ Frames free edition as insufficient

❌ "Unlock professional-grade compliance with Pro"
→ Suggests community edition is amateur or inadequate

✅ "STIG compliance (government-specific) moves to Professional; SANS/NSA checks (general security) remain free"
→ Clear, factual, positions Pro as specialized rather than superior

Brand Principles Integration#

Community Edition Framing must align with opnDossier's five core brand principles:

1. Trust the Operator#

"Full control, no black boxes."

Application: Community edition must provide complete transparency. No hidden limitations, no artificially degraded performance, no nagware. Pro features are additive, not unlocking hidden existing functionality.

2. Polish Over Scale#

"Quality over feature-bloat."

Application: Both editions maintain high quality standards. Community edition is not a "dumbed down" version — it's a focused, polished product for single-device analysis.

3. Offline First#

"Built for where the internet isn't."

Application: Both editions fully operational in airgapped environments. License validation for Pro uses embedded public keys, no phone-home required.

4. Sane Defaults#

"Clean outputs, CLI help that's actually helpful."

Application: Edition indicators in CLI help text must be clear and non-promotional. Example: --topology (Pro) in flag list, not marketing copy.

5. Ethical Constraints#

"No dark patterns, spyware, or telemetry."

Application: Zero telemetry in both editions. No usage tracking, no analytics, no "anonymous" data collection. No nagware or upgrade prompts in community edition beyond factual feature availability.

Relevant Code Files#

Related Topics#

• Open-Core Licensing Architecture: Two-binary distribution model with asymmetric license validation
• Platform Parser Strategy: All parsers free forever, revenue from analysis features
• Go-to-Market Phased Rollout: Phase A-D launch sequence protecting open-source credibility
• Product Strategy 2026: Overall commercial strategy and target markets
• Brand Principles: Five core principles governing all product decisions