# Antagonist review, round two: product and business layer

Round one attacked the system. This round attacks product.md's claims, numbers, and the gaps between its sections. No repeats.

## Persona 1 — PLG/growth operator, dev-tools scar tissue

1. **Size the Rails you're claiming.** GitHub's Rails was a rocket ship: tens of thousands of developers joining a hot framework monthly. "The jj-curious maintainer crowd (Rust tooling, terminal tools, infra CLIs) is our Rails" — jj has maybe low tens of thousands of active users after five years, and "jj-curious maintainers with active CVE flow" is a triple intersection you could seat in one conference room. Put numbers on stage 0: how many devs is the top of the funnel, what retention percentage passes the gate, and measured over what window? "Do jj-curious devs stay?" is not a gate until it has a denominator and a deadline.

2. **Your first-run moment demands maximum trust at minute zero.** "wip seal .env — your real .env... solo value in 10s." Developers trial unknown CLIs on throwaway repos; you're asking them to hand production secrets to an unaudited crypto tool as the *first interaction* — while the one-pager's own Culprit 8 says "we rolled our own is disqualifying" before professional review. Which is it: seal-your-real-.env as the hook, or don't-trust-us-yet as the honest posture? What's the actual pre-audit first-run moment?

3. **Invite-only scarcity starves the graph you need.** Gmail's invite wall worked because email interoperates with the entire outside world; a forge's value *is* its graph. Stage 2 chokes registration exactly when "populated by the graph 1-2 built" (stage 4) needs compounding network effects, and while your wedge users — OSS maintainers — need their drive-by contributors to be able to show up. Reconcile "early-Gmail scarcity" with a product whose stage-4 thesis is network density.

4. **The famous-five gate is a coin flip you can't force and shouldn't want.** The gate is "one public 'we handle security fixes in wip' from a name people know" — but by your own metadata-leak culprit, *advertising* your embargo tooling paints a target on every sealed blob in that repo. You're asking a security-conscious maintainer to publicly disclose their disclosure infrastructure. And if none of the five says yes in, say, 12 months: does the company die at stage 1, or does the "each stage gated" discipline quietly dissolve? Name the timebox.

5. **You priced your own upsell out of existence.** Free tier: "1GB hosted dark remote... covers essentially every solo private use" (your words: median repo <50MB, vaults are megabytes). Pro's headline is Vault at 100GB — for whom, exactly, if 1GB already covers "essentially every" solo case and you're "deliberately not competing with Dropbox on media"? Then the prediction on record, "Handoff outsells Vault": Handoff requires wip as daily driver on two-plus machines, and competes with free VS Code Settings Sync, tmux+SSH, and every agent vendor's own session persistence. What evidence prices laptop-lid-continuity at $7-10/month? You've predicted your best seller with zero demand signal and defended it with a feature no one has asked for by name.

6. **GitHub is the bouncer at your GitHub exit ramp.** "Free hosted quota requires a cryptographically-linked GitHub account above an age/activity floor" — the product tagline is "private repos that are actually private" and a "GitHub exit ramp," but the privacy-conscious, GitHub-skeptical dev most attracted by that tagline is exactly who can't or won't link. You've made the incumbent your identity provider and gatekeeper. What happens to your funnel when GitHub rate-limits, ToS-blocks, or simply breaks the `user.keys` endpoint your onboarding and sybil defense both depend on?

7. **Your defaults contradict your taglines.** Marketing: "the agent physically can't read /payments," "Your agent can't leak what it can't decrypt." Product: "**No `--scopes` means all**" — the default invite hands the agent every scope including /payments, and `trusted` mode "inherits everything... NO security claim." So the shipped default is exactly the git behavior the ads mock, and safety is opt-in flag-typing — the same "asking nicely" you deride, one layer down. Either the safe thing is the default or the tagline is aspirational; which asset gets rewritten?

## Persona 2 — Solo-founder realist

8. **Count the surfaces you promised, then count yourself.** CLI, mouse-first phone-responsive TUI, web UI, MCP server, session-socket daemon, headless API, signed extension registry with manifest-diff review, git bridge, "near-lossless both directions" jj bridge, bidirectional GitHub/GitLab mirror, OIDC grant broker, Buildkite integration, Jenkins plugin, SQL analytics layer, forge with CDN economics, "real SLA, public status page, multi-region endpoints." That's five teams at a funded company. "Core stays small" while bridges are "not optional plugins... maintained as part of core" is scope denial with extra steps. What ships in year one, what is explicitly cut, and what's the trigger for admitting the list was fantasy?

9. **"The mirror strategy must be flawless" is a sentence, not a plan.** Bidirectional git sync is the graveyard of this category — everyone who ran a Gerrit/GitHub or Phabricator bridge has the scars: force-pushes, PR-semantics drift, rate limits, webhook loss, race conditions between both writers. You've bet stage 1 on flagship repos where a broken mirror "reads as 'wip broke my project'" — during a CVE embargo, with one founder on call. What's the concrete SLA for the famous five, who answers at 3am, and what's the blast-radius story when ghostty's mirror diverges mid-release?

10. **The 55-75% margin math counts bytes and nothing else.** "COGS ≈ $1.50-3 against $6.30 net of Stripe" prices bandwidth and storage only. Missing: support hours (crypto key-loss tickets are hours, not minutes), abuse and DMCA handling, on-call, backup/restore ops, SOC 2 for the enterprise tier ($30-80k/yr before headcount), VAT/sales-tax compliance or merchant-of-record fees, chargebacks. Also the doc can't agree with itself on price: Pro is "priced in the... band (~$10)" in one section and "$7, the nostalgic price" in the ramp, and the margin math is run at $7. Redo the unit economics with a founder-hour cost line, at one declared price.

11. **E2E means you cannot fix your customers' worst day.** "We can never content-inspect, by design" also means never recover: Culprit 6 says a lost sealed scope holding prod config "is an outage, not just lost history." So the support ticket is: $7 customer, lost laptop, sealed .env gone, production down, and you are architecturally unable to help. What's the support policy for grief you designed to be unfixable, and what does that ticket volume do to the margin in Q10?

12. **You're hosting bytes you can't see, and your abuse plan is a quota.** "Abuse control lives entirely in quota size, egress caps, and identity cost" — that answers *cost* abuse, not *content* abuse. Hosted ciphertext will carry warez, malware C2, and worse; NCMEC obligations, law-enforcement subpoenas, and payment-processor acceptable-use rules do not accept "structurally unreadable" as a policy. Stripe has terminated hosts for less. What happens on the first subpoena for a sealed scope, and has anyone who's operated a file host reviewed this plan?

13. **"Free enterprise-grade embargo tooling forever" is an unbounded liability, in writing.** The famous-five deal: you personally do the migration, run white-glove support, forever, for the five most demanding and most public users in the ecosystem — concurrently with building stages 2-4 solo. The doc costs this as "white-glove hours, not infrastructure (~$25/mo variable)," pricing the one resource you can't buy more of at zero. Budget it: hours per week per flagship, and what happens to stage 2 the week one of them has a P0 embargo?

## Persona 3 — Competitive strategist

14. **"GitHub structurally cannot copy" is doing unearned work.** Take the list: human/agent authorship — GitHub already has commit signing, Sigstore/gitsign exists, and agent-attestation-on-commits is a quarter's work for a team that ships weekly; follow-a-change is Gerrit's Change-Id, twenty years old; issues-in-repo is Fossil, copyable by anyone. The only structurally hard item is host-blind sealing — and the moment you validate demand, GitHub ships "GitHub Encrypted Repos" (client-side keys, 80% of the story, 100% of the distribution) the way they shipped Actions after validating CI, Copilot after validating AI. Round one asked why they don't ship sealed refs; this round asks: which single item on your "can't copy" list survives a motivated GitHub quarter, and is the company worth building if the answer is "one"?

15. **The agent-safety wedge belongs to the agent vendors, not the VCS.** Anthropic, Cursor, and OpenAI control the runtime; they already ship sandboxes, permission prompts, and filesystem allowlists — enforcement, not etiquette, at the layer they own. A devcontainer with sparse checkout and secrets outside the tree delivers "the agent physically can't read /payments" today, no new VCS required. Your chaos-monkey demo's three beats — blocked reads, undo, audit log — are reproducible with a container, `git reflog`, and session recording; "unfakeable by competitors whose guardrails are prompts" strawmans competitors whose guardrails are kernel namespaces. Name the beat a sandbox vendor cannot replicate by next quarter, and why the buyer believes the VCS is the right layer for it.

16. **Your 10-second wedge has a free, audited, Google-pedigreed incumbent.** `wip seal .env` versus `sops -e .env` with age: SOPS is boring, reviewed, ubiquitous in the exact infra crowd you're targeting, and demands no VCS switch, no fork-risk bet, no new trust root. The *system* (scopes, reveal, op log) is differentiated; the *first-run moment* is not. If the hook is replaceable by a one-liner the prospect already has, what actually converts stage-0 users — and if the answer is "the jj UX," see Q17.

17. **Stage 0 is a knife fight with your own upstream and better-funded neighbors.** "wip must be the best jj experience there is — coach mode, TUI, SQL queries — before anyone hears the word 'sealed.'" jj is Google-backed, improving weekly, and free of your fork's rebase tax; gg/lazyjj/jjui are closing the TUI gap; Graphite and GitButler own the polished-workflow-layer position with venture money and existing users. You're proposing to out-execute the upstream on its own UX as a *prerequisite* for your actual differentiator. When jj ships an official TUI or Graphite adds jj support, what remains of stage 0 — and doesn't the whole ramp then rest on sealing, the feature you deferred to stage 1?

18. **"One API, many clients" is an architecture diagram, not a moat.** Every competitor has one API and many clients — that's what GitHub's API, GitLab's API, and MCP itself are. Walk the actual moat candidates the doc implies and defend one: the format spec (published, explicitly, as an exit guarantee — a moat you promised to drain), the network graph (mirrored to GitHub by design, so the graph stays theirs), the crypto (Apache-licensed and "never the paywall"), the brand (stage 4, years away). The eject guarantee is genuinely great trust engineering and genuinely terrible lock-in; the doc never says where durable advantage lives once the ideas are validated for everyone else. Where?
