# LetsBe Biz — Tool Catalog

**Version:** 2.2
**Date:** February 26, 2026
**Authors:** Matt (Founder), Claude (Research & Drafting)
**Status:** Working Draft
**Companion docs:** Technical Architecture v1.2, Foundation Document v1.0, Pricing Model v2.2

---

## 1. Purpose

This document catalogs every tool that LetsBe Biz deploys (or plans to deploy) on customer VPS instances. It serves three audiences: engineering (for Docker stack specs and resource planning), product (for onboarding and recommendations), and sales (for the "25+ tools" pitch).

**Selection criteria — every tool must:**
1. Be **fully open source** with a license compatible with managed service deployment (MIT, Apache 2.0, AGPL, GPL, BSD, etc. — **not** BSL, Sustainable Use, or similar source-available licenses that restrict commercial hosting)
2. Have a **comprehensive, free API** (REST or GraphQL — needed for AI agent integration)
3. Be **completely free** to use with no paid-only features blocking core functionality
4. Run in **Docker** (official or well-maintained community image)
5. Be **actively maintained** (commits within last 6 months, responsive issue tracker)
6. Be **in addition** to the current tool set (no replacements in this version)

**Catalog philosophy — curated defaults, not a free-for-all:**

We offer **one recommended default per niche**, with an alternative only when there's a genuine functional difference. We are *not* trying to stock two of everything. Overlap is only justified when two tools serve meaningfully different workflows within the same domain. Examples:

- **Justified overlap:** Chatwoot (real-time omnichannel chat) + Zammad (structured ticket/SLA helpdesk) — different support models, often used together.
- **Justified overlap:** BookStack (structured wiki — books/chapters/pages) + Wiki.js (Git-backed developer wiki) — different knowledge management paradigms for different team types.
- **Not justified:** NocoDB + Baserow — both are no-code spreadsheet-over-database tools with near-identical feature sets. We pick one (NocoDB).

When in doubt: fewer, better-integrated tools > more options. Each additional tool increases maintenance burden, Ansible complexity, and the surface area our AI agents need to cover.

---

## 2. Current Tool Inventory (28 Tools — Deployed)

These tools are currently configured in `/letsbe-ansible-runner/stacks/` and listed in the Hub's `ToolsEditor.tsx`, or are confirmed integrations in progress. They are proven, tested (or being integrated), and ready (or nearly ready) for customer provisioning.

### Core Infrastructure (3) — Always deployed, not customer-selectable

| Tool | Stack Key | Description | License | Docker Image |
|------|-----------|-------------|---------|-------------|
| **Orchestrator** | `orchestrator` | LetsBe control plane API — manages VPS lifecycle, tool deployment, agent coordination | Proprietary | Custom |
| **SysAdmin Agent** | `sysadmin` | Remote automation worker — executes provisioning and maintenance tasks | Proprietary | Custom |
| **Portainer** | `portainer` | Container management UI — visual Docker management for advanced users | Zlib | `portainer/portainer-ce` |

### Communication (3)

| Tool | Stack Key | Description | License | Docker Image |
|------|-----------|-------------|---------|-------------|
| **Chatwoot** | `chatwoot` | Omnichannel customer engagement — live chat, email, social media inbox | MIT | `chatwoot/chatwoot` |
| **Listmonk** | `listmonk` | Newsletter and mailing list manager — bulk email campaigns, subscriber management | AGPL-3.0 | `listmonk/listmonk` |
| **Stalwart Mail** | `stalwart` | All-in-one mail server — SMTP, IMAP, JMAP, POP3, CalDAV, CardDAV, WebDAV. Built-in DKIM/SPF/DMARC/ARC, DANE, MTA-STS. Written in Rust. | AGPL-3.0 | `stalwartlabs/mail-server` |

> **⚠️ Replaced: Poste.io → Stalwart Mail** — Poste.io had a proprietary license prohibiting third-party deployment. Stalwart Mail (AGPL-3.0) is the replacement: all-in-one mail server with native OIDC/Keycloak support (v0.11.5+), Management REST API with OpenAPI spec, and comprehensive protocol coverage (SMTP, IMAP, JMAP, POP3, CalDAV, CardDAV, WebDAV). 12k+ GitHub stars, written in Rust for performance and security.

### File Storage & Collaboration (3)

| Tool | Stack Key | Description | License | Docker Image |
|------|-----------|-------------|---------|-------------|
| **Nextcloud** | `nextcloud` | File sync, sharing, office suite, calendar, contacts — the Swiss Army knife | AGPL-3.0 | `nextcloud` |
| **MinIO** | `minio` | S3-compatible object storage — stores files, backups, attachments for other tools | AGPL-3.0 | `minio/minio` |
| **Documenso** | `documenso` | Digital document signing — e-signature workflows, templates, audit trails | AGPL-3.0 | `documenso/documenso` |

### Identity & Security (2)

| Tool | Stack Key | Description | License | Docker Image |
|------|-----------|-------------|---------|-------------|
| **Keycloak** | `keycloak` | Identity and access management — SSO across all tools, OIDC/SAML | Apache-2.0 | `quay.io/keycloak/keycloak` |
| **Vaultwarden** | `vaultwarden` | Password manager (Bitwarden-compatible) — team credential sharing, autofill | AGPL-3.0 | `vaultwarden/server` |

### Automation & Workflows (1)

| Tool | Stack Key | Description | License | Docker Image |
|------|-----------|-------------|---------|-------------|
| **Activepieces** | `activepieces` | No-code automation — drag-and-drop workflow builder, growing connector library | MIT | `activepieces/activepieces` |

> **⚠️ Removed: n8n** — Sustainable Use License prohibits hosting as part of a paid service.
> **⚠️ Removed: Windmill** — AGPL with explicit additional restriction: "cannot sell, resell, serve Windmill as a managed service."
> **⚠️ Removed: Typebot** — Changed from AGPL to Fair Source License (FSL) in 2024. Prohibits competing products. Converts to Apache 2.0 after 2 years. **Note:** Typebot remains in our internal stack for LetsBe team use and close associates — just not deployed on customer VPS as part of the managed service.

### Development (2)

| Tool | Stack Key | Description | License | Docker Image |
|------|-----------|-------------|---------|-------------|
| **Gitea** | `gitea` | Lightweight Git server — repos, issues, PRs, wiki, CI integration | MIT | `gitea/gitea` |
| **Drone CI** | `gitea-drone` | Continuous integration — pipeline-as-code, triggered by Gitea events | Apache-2.0 | `drone/drone` |

### Databases & Analytics (3)

| Tool | Stack Key | Description | License | Docker Image |
|------|-----------|-------------|---------|-------------|
| **NocoDB** | `nocodb` | Airtable alternative — spreadsheet UI over any database, API-first | AGPL-3.0 | `nocodb/nocodb` |
| **Redash** | `redash` | Data visualization — SQL queries, dashboards, scheduled reports | BSD-2 | `redash/redash` |
| **Umami** | `umami` | Privacy-focused web analytics — no cookies needed, GDPR-friendly | MIT | `ghcr.io/umami-software/umami` |

### AI & Chat (1)

| Tool | Stack Key | Description | License | Docker Image |
|------|-----------|-------------|---------|-------------|
| **LibreChat** | `librechat` | Multi-model AI chat interface — ChatGPT-style UI, supports Claude/GPT/local models | MIT | `ghcr.io/danny-avila/librechat` |

### CMS & Content (3)

| Tool | Stack Key | Description | License | Docker Image |
|------|-----------|-------------|---------|-------------|
| **Ghost** | `ghost` | Publishing platform — blogs, newsletters, membership, SEO-optimized | MIT | `ghost` |
| **WordPress** | `wordpress` | Content management system — the world's most popular CMS, massive plugin ecosystem | GPL-2.0 | `wordpress` |
| **Squidex** | `squidex` | Headless CMS — API-first content management, multi-language, asset management | MIT | `squidex/squidex` |

### Business Tools (3)

| Tool | Stack Key | Description | License | Docker Image |
|------|-----------|-------------|---------|-------------|
| **Cal.com** | `calcom` | Scheduling — booking pages, calendar sync (Google/Outlook/CalDAV), team scheduling | AGPL-3.0 | `calcom/cal.com` |
| **Odoo** | `odoo` | ERP suite — CRM, invoicing, inventory, HR, project management, 80+ modules | LGPL-3.0 | `odoo` |
| **Penpot** | `penpot` | Design & prototyping — Figma alternative, real-time collaboration, SVG-native | MPL-2.0 | `penpotapp/frontend` |

> **⚠️ Removed: Invoice Ninja** — Elastic License 2.0 (not AGPL as previously listed). Prohibits providing as "hosted or managed service." **Replacement: Bigcapital** (AGPL-3.0, P1 expansion) covers invoicing + full double-entry accounting. Also considered: **InvoiceShelf** (AGPL-3.0, Docker-ready, Laravel/Vue) as a lighter invoicing-only alternative if Bigcapital is too heavy. Odoo invoicing module available as interim.

### Monitoring & Maintenance (3)

| Tool | Stack Key | Description | License | Docker Image |
|------|-----------|-------------|---------|-------------|
| **GlitchTip** | `glitchtip` | Error tracking — Sentry-compatible, crash reporting, performance monitoring | MIT | `glitchtip/glitchtip` |
| **Uptime Kuma** | `uptime-kuma` | Uptime monitoring — HTTP/TCP/DNS checks, status pages, notifications | MIT | `louislam/uptime-kuma` |
| **Diun** | `diun` | Container update notifications — monitors Docker images for new releases | MIT | `crazymax/diun` |

> **Note:** Watchtower (Apache-2.0) was archived December 2025. Diun is the active replacement.

### Other (1)

| Tool | Stack Key | Description | License | Docker Image |
|------|-----------|-------------|---------|-------------|
| **Static HTML** | `html` | Simple static website hosting — nginx serving customer's HTML/CSS/JS files | — | `nginx:alpine` |

---

## 3. Expansion Catalog — Deep Evaluation by Business Domain

Each tool below has been vetted against our six selection criteria (§1), checked for overlap per our catalog philosophy, and deeply researched for **API completeness** (can the AI do everything?), **SSO/Keycloak support**, and **strategic justification**. Priority ratings:

- **P1 (High)** — Fills a major gap; strong API for AI automation; high SMB demand
- **P2 (Medium)** — Valuable addition; adequate API; complements existing tools
- **P3 (Lower)** — Nice to have; API gaps or maintenance concerns; niche use cases
- **REMOVED** — Failed research evaluation; does not meet requirements

### 3.1 CRM & Sales

Current coverage: Odoo (CRM module), Chatwoot (customer engagement). Gap: standalone lightweight CRM.

#### ~~Twenty~~ — **REMOVED** (was P1)

| Attribute | Detail |
|-----------|--------|
| **Status** | **License incompatible with managed service deployment.** |
| **Why removed** | Dual-licensed: files marked `/* @license Enterprise */` require a commercial license for production use. Without enterprise license, cannot be used to "manage customer data for a business" or "deployed in a commercial setting where it interacts with real clients or generates revenue." SSO is also behind the commercial license. Despite excellent API (95%), the production-use restriction is a hard blocker. |

#### EspoCRM — Enterprise-Ready CRM | **P1** (now primary CRM)

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Salesforce, Pipedrive, HubSpot |
| **License** | AGPL-3.0 (changed from GPL-3.0 in v8.1; standard AGPL, no additional restrictions — "does not prevent you from using, modifying, or providing the open-source software to others") |
| **Stars** | 1.8k+ |
| **API** | REST — 90% coverage. Full CRUD for contacts, accounts, opportunities, tasks, calls, meetings, notes. **Email sending via API** (SMTP/OAuth). Custom entities supported. HMAC auth (most secure). No documented rate limits. OpenAPI spec available at `/api/v1/OpenApi`. |
| **API Gaps** | No GraphQL. Reporting API covers grid reports with aggregation but not custom visualizations. |
| **SSO** | ✅ **Native OIDC** — documented at `/administration/oidc/`. User auto-creation on first login. Auto-team mapping from IdP groups. |
| **Keycloak** | ✅ **Supported** — works with `client_secret_post` auth method. Users/teams auto-mapped from Keycloak groups. Note: Espo's built-in 2FA disabled when OIDC active (use Keycloak 2FA instead). |
| **Why include** | **Only CRM with native Keycloak support.** Complete email sending API (critical for CRM workflows). Mature codebase (10+ years). HMAC auth is more secure than API keys. Auto-team mapping from IdP groups aligns perfectly with privacy-first multi-tenant model. Better for regulated industries. |
| **AI can do** | Everything Twenty can do PLUS send emails, manage calendar, run reports with aggregation, manage BPM workflows. |
| **AI cannot do** | Advanced custom visualizations (push to Redash). |
| **Priority rationale** | Upgraded to P1. Native Keycloak + email API makes it the most enterprise-ready CRM. Smaller community but more mature for SSO-required deployments. |

#### Corteza — Low-Code CRM Platform | **P2**

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Salesforce, Dynamics 365 |
| **License** | Apache-2.0 |
| **Stars** | 1.5k+ |
| **API** | REST — 70% effective coverage. No pre-built CRM entities; must design modules/fields via low-code UI first, then API works on those custom records. OAuth2 client credentials auth. No rate limits documented. |
| **API Gaps** | Requires UI-based schema design before API is useful. No pre-built pipeline, no pre-built contact model. Reporting is dashboard-based, not API-queryable. |
| **SSO** | ✅ **OIDC + SAML both native** — best-in-class SSO. Add provider in Admin panel. |
| **Keycloak** | ✅ **Fully supported** — both OIDC and SAML work. |
| **Why include** | Best SSO support (OIDC + SAML). Low-code flexibility for custom business processes. Apache 2.0 (least restrictive license). GDPR-native design. Good for companies with non-standard CRM workflows. |
| **AI can do** | CRUD on any pre-defined module. Trigger workflows. Send emails via workflow engine. |
| **AI cannot do** | Design schema (UI-only). Create reports. Work without pre-built schema (2-4 week initial setup required). |
| **Priority rationale** | P2 because it requires significant upfront schema design and smaller community. Excellent SSO but not AI-first. Best for teams with custom business processes who invest in initial setup. |

---

### 3.2 Accounting & Invoicing

Current coverage: Odoo (invoicing module). Gap: standalone invoicing + full double-entry accounting. Invoice Ninja removed (Elastic License). **Bigcapital (P1) replaces both Invoice Ninja and Akaunting** — covers invoicing, expenses, and full double-entry accounting in one tool.

#### Bigcapital — Double-Entry Accounting | **P1**

| Attribute | Detail |
|-----------|--------|
| **Replaces** | QuickBooks, Xero |
| **License** | AGPL-3.0 |
| **Stars** | 3k+ |
| **API** | REST — 85% coverage. Full CRUD for invoices, expenses, payments, clients, vendors, bills, products, tax rates. **Chart of accounts, journal entries, financial statements** (P&L, Balance Sheet, Cash Flow, Trial Balance, General Ledger). Bank account management. Inventory tracking. Auth: Bearer token (JWT/API key). Postman collection available. |
| **API Gaps** | Bank reconciliation automation unclear. AR/AP detail endpoints incomplete. Some endpoints underdocumented (discover via Postman). |
| **SSO** | ❌ No native OIDC/SAML. Built-in user/password + API key only. |
| **Keycloak** | ❌ Not supported. **Workaround:** oauth2-proxy reverse proxy (2-week sprint). |
| **Why include** | **Only OSS tool with true double-entry accounting + comprehensive API.** Multi-tenant architecture (single instance serves 30+ client books). Real-time financial statements. Inventory integration (rare in OSS). AI agents can autonomously create invoices, journal entries, generate financial reports. Compliance-grade accounting engine. |
| **AI can do** | Create invoices/bills, manage expenses, post journal entries, generate P&L/Balance Sheet/Cash Flow, manage chart of accounts, track inventory. |
| **AI cannot do** | Complex bank reconciliation (partial). Custom report visualization (push to Redash). |
| **Priority rationale** | P1 — fills the single biggest gap in our stack (real accounting). No SSO but solvable with proxy. |

#### ~~Akaunting~~ — **REMOVED** (was P2)

| Attribute | Detail |
|-----------|--------|
| **Status** | **License incompatible with managed service deployment.** |
| **Why removed** | BSL 1.1 (not GPL-3.0 as previously listed). Explicitly prohibits providing "to third parties as an Accounting Service." Direct conflict with LetsBe's model. Converts to GPL-3.0 after change date (4 years from publication). |

#### ~~Crater~~ — **REMOVED**

| Attribute | Detail |
|-----------|--------|
| **Status** | **PROJECT ABANDONED** — announced August 2023, no active development for 2+ years. Security patches only. |
| **Why removed** | API too limited (4.5/10 — no journals, COA, financial reports). No SSO. Security risk from lack of maintenance. Rate limit: 180 req/hr (restrictive). Community has moved to Invoice Ninja alternatives. **Do not integrate.** |

---

### 3.3 Project Management & Tasks

Current coverage: Odoo (project module), NocoDB (database views). Gap: dedicated PM tool.

#### Plane — Modern Project Management | **P1**

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Jira, Linear, Asana, Monday.com |
| **License** | AGPL-3.0 |
| **Stars** | 32k+ |
| **API** | REST — 95% coverage. Full CRUD for projects, issues, cycles (sprints), modules, comments, labels, assignees, file attachments. Kanban/list/gantt/spreadsheet views. OAuth 2.0 + API key auth. Cursor-based pagination. HMAC-signed webhooks. Typed SDKs (Node.js, Python). Rate limit: 60 req/min. |
| **API Gaps** | No native time tracking. Minor UI-only features. |
| **SSO** | ✅ **Native OIDC** via God Mode (`/god-mode/authentication/oidc/`). |
| **Keycloak** | ✅ **Fully supported** — reference integration documented. |
| **Why include** | Best API completeness in PM category (95%). Modern UI matches Linear/Asana experience. Native OIDC/Keycloak. Multi-view flexibility (Gantt, Kanban, Timeline, Spreadsheet). Active community (32k stars). Python + Node.js SDKs enable rapid AI agent development. |
| **AI can do** | Create/manage projects, issues, sprints/cycles, comments, labels, assignments, file attachments. Query all views. |
| **AI cannot do** | Time tracking (not built-in). Advanced Gantt manipulation. |
| **Priority rationale** | P1 — #1 missing tool for SMBs. Strongest API + SSO combo in PM. |

#### Leantime — PM for Non-PMs | **P2**

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Monday.com, Basecamp, Asana (basic) |
| **License** | AGPL-3.0 |
| **Stars** | 4.5k+ |
| **API** | JSON-RPC (not REST) — 70% coverage. Single endpoint `/api/jsonrpc`. Projects, tasks, kanban, table/list/calendar views. **Built-in time tracking** (timers + timesheets). Auth: API key via headers. |
| **API Gaps** | JSON-RPC is unconventional (harder for AI agents trained on REST). No explicit sprint/cycle API. Documentation sparse. |
| **SSO** | ✅ **OIDC supported** (v2.1.9+). LDAP also supported. |
| **Keycloak** | ✅ **Supported** — requires Provider URL, Client ID, Client Secret. Works with x5c certificates. |
| **Why include** | **Only PM tool with built-in time tracking + Keycloak support.** Designed for non-PMs (neurodivergent-friendly UX using behavioral science). Low overhead, fast deployment. Differentiator for SMBs with non-traditional teams. |
| **AI can do** | Manage tasks, track time, kanban operations, basic project management. |
| **AI cannot do** | Sprint planning (limited API). Complex Gantt manipulation. |
| **Priority rationale** | P2 — time tracking differentiator, OIDC ready, but JSON-RPC adds AI integration complexity. |

#### Vikunja — Lightweight Task Management | **P2**

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Todoist, TickTick, Trello |
| **License** | AGPL-3.0 |
| **Stars** | 5k+ |
| **API** | REST + OpenAPI/Swagger — 75% coverage. Projects (lists), tasks, kanban, gantt, table views, comments, labels, assignees, file attachments, webhooks. CalDAV support. Auto-generated Swagger docs at `/api/v1/docs`. JWT + API token auth. |
| **API Gaps** | No time tracking. No formal sprint/cycle planning. |
| **SSO** | ✅ **Native OIDC** — well-documented with team auto-assignment from OIDC claims (v0.24.0+). |
| **Keycloak** | ✅ **First-class support** — dedicated docs + Authentik/Synology examples. Email/username attribute linking for existing accounts. |
| **Why include** | Task-centric (not project-centric) — good for distributed teams. CalDAV support enables calendar integration. Strong Keycloak integration with team auto-assignment. Lightweight resource footprint. Conventional REST API ideal for AI agents. |
| **AI can do** | Manage tasks, labels, projects, kanban boards. CalDAV sync. |
| **AI cannot do** | Time tracking. Sprint planning. |
| **Priority rationale** | P2 — excellent Keycloak support but lightweight feature set vs. Plane. |

#### OpenProject — Enterprise PM | **P2**

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Jira Server, MS Project, enterprise PM suites |
| **License** | GPL-3.0 |
| **Stars** | 12.8k+ |
| **API** | REST (APIv3) + HAL+JSON HATEOAS — 90% coverage. Projects, work packages, agile boards, Gantt, **time tracking**, wikis, file attachments, comments, custom fields, roles/permissions. OAuth2 + session + basic auth. OpenAPI 3 spec at `/api/v3/spec.json`. Swagger UI at `/api/docs`. |
| **API Gaps** | HATEOAS adds verbosity (more complex for AI parsing). BCF API (building info) is niche. |
| **SSO** | ✅ **OIDC + SAML both supported** (v15+). Group synchronization from Keycloak. |
| **Keycloak** | ✅ **Full support** — OIDC discovery endpoint, SAML metadata, group sync. |
| **Why include** | Most feature-complete OSS PM tool. **Time tracking + Gantt + OIDC/SAML + group sync** = enterprise-grade. 9+ years of development. Community Edition genuinely free. Best for SMBs needing traditional + agile hybrid. |
| **AI can do** | Manage projects, work packages, sprints, time entries, wiki pages, comments, file attachments. |
| **AI cannot do** | Some UI-only configuration. HATEOAS requires more sophisticated API client. |
| **Priority rationale** | P2 — most powerful but most complex. Better for enterprise-oriented SMBs than startup-style teams. |

#### ~~Focalboard~~ — **REMOVED** (was P3)

| Attribute | Detail |
|-----------|--------|
| **Status** | **Maintenance uncertain** — Aug 2024 call for community maintainers. Standalone version unmaintained; moving to Mattermost plugin architecture. |
| **Why removed** | API is 50% complete and underdocumented. **No SSO support** (no OIDC, SAML, or LDAP). No time tracking. No sprints. Disqualified for privacy-first platform. |

---

### 3.4 Knowledge Base & Wiki

Current coverage: Nextcloud (limited notes/wiki), Gitea (repo wiki). Gap: proper knowledge management.

#### BookStack — Structured Wiki | **P1**

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Confluence, Notion (for documentation) |
| **License** | MIT |
| **Stars** | 16k+ |
| **API** | REST — 95% coverage. Full CRUD for shelves, books, chapters, pages, comments. Search API with full-text indexing. Tag-based search. Role/user/permission management via API. File attachment management (multipart + base64). Portable ZIP export. Built-in API docs at `/api/docs`. Rate limit: 180 req/min (configurable to 1500). Auth: API token. |
| **API Gaps** | No real-time collaboration. API token scoping is basic (no granular OAuth scopes). |
| **SSO** | ✅ **OIDC + SAML 2.0 both native** — auto-discovery of endpoints. Tested with Keycloak, Okta, Auth0. |
| **Keycloak** | ✅ **Supported** — OIDC auto-discovery works. Known issue: refresh token handling requires increased token lifetime in Keycloak. SAML also works. |
| **Why include** | **Highest API completeness in KB category** (95%). Clear hierarchy (Books/Chapters/Pages) mimics real-world documentation structure. Both OIDC + SAML native. MIT license (least restrictive). Low deployment complexity (PHP/Laravel). AI agents can fully manage entire knowledge base lifecycle. |
| **AI can do** | Create/update/delete all content levels. Manage hierarchy. Search full-text. Manage permissions per entity. Handle attachments. Export content. |
| **AI cannot do** | Real-time collaborative editing (single-user editing model). |
| **Priority rationale** | P1 — best API for AI automation. Structured hierarchy is ideal for procedural docs, runbooks, SOPs. |

#### ~~Outline~~ — **REMOVED** (was P1)

| Attribute | Detail |
|-----------|--------|
| **Status** | **License incompatible with managed service deployment.** |
| **Why removed** | BSL 1.1 with Additional Use Grant that explicitly prohibits "Document Service" — defined as "a commercial offering that allows third parties to access the functionality by creating teams and documents." This is exactly what LetsBe does. Change Date to Apache 2.0 is January 27, 2030 — too far out. Despite excellent API (85%), SSO, and Keycloak support, the license is a hard blocker. **Revisit after January 2030 when Apache 2.0 conversion takes effect.** |

#### Wiki.js — Git-Backed Wiki | **P2**

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Confluence, GitBook |
| **License** | AGPL-3.0 |
| **Stars** | 25k+ |
| **API** | GraphQL — **40% effective coverage**. Page queries work but **page creation/management API is incomplete**. Community feature request #5138 still open. No documented REST endpoints for full CRUD. Search API underdocumented. Permission/group APIs limited. |
| **API Gaps** | **Critical: AI agents cannot fully automate page lifecycle.** Form creation, hierarchy management, and user provisioning require UI interaction. |
| **SSO** | ✅ **OIDC native** — Keycloak integration confirmed working. |
| **Keycloak** | ✅ **Works via OIDC** — community guide available. No automatic group provisioning (feature request). |
| **Why include** | Unique: Git sync stores content as Markdown files (natural backup + version control). Best for developer/technical teams. Node.js (lightweight). |
| **AI can do** | Query pages, basic search. |
| **AI cannot do** | **Create/manage pages reliably via API.** Manage permissions. Manage users/groups. This is a major limitation for AI-first platform. |
| **Priority rationale** | P2 — OIDC works but API incompleteness violates our "AI does everything" requirement. Only suitable for dev teams with Git workflow. |

#### ~~AFFiNE~~ — **REMOVED** (was P2)

| Attribute | Detail |
|-----------|--------|
| **Status** | Active development (44k stars) but **not enterprise-ready**. |
| **Why removed** | **No public REST/GraphQL API** for programmatic automation (GitHub issue #1013 still open). SSO/Keycloak not supported (feature request #6464). Flat document structure. File management has reported issues (#8537). Too immature for production knowledge management. Local-first architecture conflicts with centralized AI agent model. **Revisit in 12-18 months when API and SSO ship.** |

---

### 3.5 Helpdesk & Support Tickets

Current coverage: Chatwoot (real-time omnichannel chat). Gap: structured ticket management with SLAs. **Note:** Chatwoot and Zammad are complementary — Chatwoot handles *real-time messaging*, Zammad handles *structured support tickets*. See §1 catalog philosophy.

#### Zammad — Full Helpdesk | **P1**

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Zendesk ($49-165/agent/mo), Freshdesk, Help Scout |
| **License** | AGPL-3.0 |
| **Stars** | 4.5k+ |
| **API** | REST — **95% coverage. "API First" philosophy: anything available via UI is available via API.** Full CRUD for tickets, articles (threaded responses), ticket linking, priorities, states, SLAs, knowledge base. Group/role/agent management. Search/query. Webhooks (triggers + schedulers). n8n integration. Auth: Token-based (recommended), HTTP Basic, OAuth 2.0. Pagination with hard caps. Python/PHP client libraries. |
| **API Gaps** | Webhook retry logic underdocumented. KB search granularity could be deeper. |
| **SSO** | ✅ **SAML 2.0 native** — import IdP metadata, auto-create users on first login. **OIDC native** (v6.5+). |
| **Keycloak** | ✅ **Fully supported** — RS256 certificate from Keycloak, SAML metadata, or OIDC as Relying Party. Email/name/role synchronization. |
| **Why include** | **"API First" = AI agents can manage 100% of ticket lifecycle.** Multi-channel consolidation (email, chat, social). Native OIDC + SAML + Keycloak. Mature codebase (10+ years). Eliminates per-seat SaaS costs. Complete SLA management. |
| **AI can do** | Create/manage/close tickets, assign agents, manage SLAs, search knowledge base, manage customers, automate workflows, generate reports. Everything. |
| **AI cannot do** | Nothing significant — API-first design means full coverage. |
| **Priority rationale** | P1 — non-negotiable for workforce platform. Highest API completeness + best SSO in helpdesk category. |

#### FreeScout — Shared Inbox Helpdesk | **P2**

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Help Scout ($15-40/user/mo) |
| **License** | AGPL-3.0 |
| **Stars** | 3k+ |
| **API** | REST — 80% coverage. Conversations, replies, assignments, mailbox management. Webhooks for events. Auth: API key (`X-FreeScout-API-Key`). No rate limits. **Note:** API requires paid/community "API & Webhooks" module. |
| **API Gaps** | No SLA management API. Limited workflow automation endpoints. No KB creation API. |
| **SSO** | ✅ **SAML 2.0 via module** — auto-user creation, attribute mapping. |
| **Keycloak** | ⚠️ Possible via SAML bridge, not native OIDC. |
| **Why include** | Simpler than Zammad — focused on email-based shared inbox paradigm. Better UX for small support teams who don't need formal ticketing. No per-agent licensing. |
| **AI can do** | Create/manage conversations, assign agents, track status, manage mailboxes. |
| **AI cannot do** | SLA management. Advanced workflows. Knowledge base management. |
| **Priority rationale** | P2 — good email-centric alternative but less "AI-complete" than Zammad (80% vs 95%). |

#### ~~Peppermint~~ — **REMOVED** (was P3)

| Attribute | Detail |
|-----------|--------|
| **Why removed** | **No official API documentation.** Endpoints unclear, external ticket creation undocumented. No SSO support (no OIDC, SAML, or LDAP). Immature API (65% estimated). 1.5k stars (smallest community). Fails "AI does everything" requirement. |

---

### 3.6 Forms, Surveys & Data Collection

Current coverage: None (Typebot removed from customer catalog; retained for internal use). Gap: form/survey builder.

#### Formbricks — Survey Platform | **P1**

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Typeform ($25-99/mo), SurveyMonkey, Qualtrics, JotForm |
| **License** | AGPL-3.0 |
| **Stars** | 9k+ |
| **API** | REST — 95% coverage. Management API: create/update/delete surveys, manage questions/types/welcome cards/thank-you cards/languages/branching logic. Response API: create/retrieve/update responses, partial submission capture. Conditional logic API (jump actions, show/hide). CSV export. 100+ templates accessible via API. JS/TS SDKs for React/Vue/Svelte. Rate limiting via headers (X-RateLimit-Limit/Remaining). Auth: API key (Management), no auth needed for Public Client API. |
| **API Gaps** | None significant — comprehensive forms/survey coverage. |
| **SSO** | ✅ **SAML 2.0 supported** — Entity ID configuration, ACS URL. Works in self-hosted. |
| **Keycloak** | ✅ **Works via SAML** — Keycloak as SAML IdP. Native OIDC not yet available (feature request #6297). |
| **Why include** | **Best-in-class survey/form API.** Conditional logic fully exposed via API = AI agents can build complex branching surveys autonomously. Privacy-first: self-hosted, no tracking. Unlimited responses (self-hosted). In-app surveys + website popups + link surveys = multi-channel data collection. |
| **AI can do** | Create surveys from templates, build custom forms with conditional logic, manage responses, export data, configure NPS/CES/CSAT. |
| **AI cannot do** | Nothing significant for forms/surveys. |
| **Priority rationale** | P1 — highest API completeness in forms category. Privacy-first alignment. SAML works for SSO. |

#### ~~Heyform~~ — **REMOVED** (was P2)

| Attribute | Detail |
|-----------|--------|
| **Why removed** | **No official REST API documentation.** Form creation API underdeveloped. Conditional logic not exposed via API. No SSO (OIDC requested in Discussion #58, not implemented). API score ~2/10 for AI agents. Formbricks is strictly superior on every dimension. |

#### LimeSurvey — Research-Grade Surveys | **P2**

| Attribute | Detail |
|-----------|--------|
| **Replaces** | SurveyMonkey ($99-384/yr), Qualtrics, Google Forms |
| **License** | GPL-2.0 |
| **Stars** | 2.8k+ |
| **API** | JSON-RPC (RemoteControl 2) — 80% coverage. Survey creation/management, question management, response retrieval/export. Session key auth. **REST API listed as "TODO — under development."** 3rd-party REST wrapper exists (machitgarha/limesurvey-rest-api). |
| **API Gaps** | JSON-RPC is archaic vs REST/GraphQL. REST API still not available. Requires workarounds for modern integrations. |
| **SSO** | ✅ **LDAP built-in** (requires PHP LDAP). SAML via commercial/community plugins. OAuth2 via 3rd-party plugin for Keycloak. |
| **Keycloak** | ⚠️ Via 3rd-party OAuth2 plugin (BDSU/limesurvey-oauth2). Not native. |
| **Why include** | 15+ years of survey maturity. Massive customization via JS/HTML editing. **80+ language support** (unique). Multi-language surveys out-of-box. Best for research/academic contexts or international SMBs. |
| **AI can do** | Create surveys, manage questions, retrieve/export responses. |
| **AI cannot do** | Complex operations easily (JSON-RPC adds friction). REST-based automation. |
| **Priority rationale** | P2 — mature but dated API. Choose if multi-language surveys are critical. Otherwise Formbricks is superior. |

---

### 3.7 HR & People Management

Current coverage: Odoo (HR module). Gap: standalone HR.

#### OrangeHRM — HR Management | **P2**

| Attribute | Detail |
|-----------|--------|
| **Replaces** | BambooHR ($99-299/mo), Workday, ADP |
| **License** | GPL-3.0 |
| **Stars** | 850+ |
| **API** | REST — 85% coverage. OAuth 2.0 (client_credentials). Employee CRUD, leave management, attendance, recruitment/ATS, performance reviews (360-degree), time tracking (clock in/out, timesheets), documents. Token valid 3600s. |
| **API Gaps** | Benefits/compensation may lack deep API coverage. Documentation could be clearer. |
| **SSO** | ✅ **OIDC native** — supports Google, Microsoft, Okta, Keycloak via OpenID Connect. |
| **Keycloak** | ✅ **Supported** via OIDC. |
| **Why include** | **Only OSS HR platform with complete feature set** (employees, leave, recruitment, reviews, time). 1M+ users worldwide. OIDC/Keycloak support. Modular design. No per-user licensing. |
| **AI can do** | Manage employee records, process leave requests, track attendance, manage recruitment pipeline, run performance reviews. |
| **AI cannot do** | Some advanced HR workflows (benefits administration). |
| **Priority rationale** | P2 — important if HR management is in scope but not every SMB needs standalone HR (Odoo module covers basics). |

---

### 3.8 Marketing & Social Media

Current coverage: Listmonk (email), Ghost (newsletters), WordPress (content). Gap: social media management, link management.

#### Dub — Link Management | **P2** (downgraded from P1)

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Bitly, Rebrandly |
| **License** | AGPL-3.0 |
| **Stars** | 19k+ |
| **API** | REST — 80% coverage. Link creation/management/deletion. Analytics (clicks, leads, sales). Referrer tracking. Custom domains, geo-targeting, device targeting. Password protection. Auth: Bearer token with scoped permissions. Rate limit: 60 req/min (free tier). |
| **API Gaps** | Conversion tracking limited to paid Business+ tier on cloud (verify self-hosted parity). No A/B testing. |
| **SSO** | ⚠️ **SAML only on enterprise SaaS tier.** Self-hosted version has no enterprise SSO out-of-box. Bearer token auth only. |
| **Keycloak** | ❌ Not supported for self-hosted. Would require custom auth layer. |
| **Why include** | Full link management platform with analytics. Device/geo-targeting useful for AI-driven campaigns. |
| **AI can do** | Create/manage short links, track analytics, manage custom domains. |
| **AI cannot do** | SSO login. A/B testing. Advanced conversion tracking (tier-dependent). |
| **Priority rationale** | Downgraded to P2 — no self-hosted SSO is a gap. Link management is useful but not critical path. |

#### Shlink — URL Shortener | **P3** (downgraded from P2)

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Bitly (free tier), TinyURL |
| **License** | MIT |
| **Stars** | 3.2k+ |
| **API** | REST — 60% coverage. Short URL CRUD, custom slugs, visit analytics (geo, referrer, device), domain/tag management. API key + RBAC auth. |
| **API Gaps** | **No webhook support.** No bulk operations API. No link preview customization. Limited metadata. |
| **SSO** | ❌ No SSO support. API key + basic auth for web UI only. |
| **Keycloak** | ❌ Not supported. |
| **Why include** | Lightweight, zero-subscription URL shortener. Privacy-friendly. Works offline. Good for basic link tracking. |
| **Priority rationale** | Downgraded to P3 — Dub is superior in every dimension except simplicity. No SSO, no webhooks. |

#### Mixpost — Social Media Management | **P2**

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Buffer, Hootsuite, Later, Sprout Social (basic) |
| **License** | MIT |
| **Stars** | 1.2k+ |
| **API** | REST (via community addon) — 70% coverage. Post creation/scheduling/publishing, account management, analytics querying, team management, approval workflows. Laravel Sanctum tokens. Rate limit: 60 req/min (configurable). HMAC webhook validation. n8n integration bridges gaps. |
| **API Gaps** | Limited analytics API depth. No audience insights. No social listening. |
| **SSO** | ❌ No native OIDC/SAML. Laravel Sanctum (token-based) only. |
| **Keycloak** | ❌ Not supported. Would require custom middleware. |
| **Why include** | All-in-one social media management (scheduling + publishing + analytics + approvals) with zero recurring cost. n8n automation compensates for API gaps. Content approval workflow useful for teams. |
| **AI can do** | Create/schedule/publish posts across platforms, manage accounts, trigger approval workflows. |
| **AI cannot do** | Advanced analytics. Audience insights. Social listening. SSO login. |
| **Priority rationale** | P2 — strong for SMB marketing but weak SSO story and smaller community. |

#### ~~LinkStack~~ — **REMOVED** (was P3)

| Attribute | Detail |
|-----------|--------|
| **Why removed** | **No public REST/GraphQL API.** UI-only platform. AI agent readiness: 0/10. Cannot automate link updates, analytics, or user management. No SSO. Fails "AI does everything" requirement completely. |

---

### 3.9 E-Commerce & Payments

Current coverage: None beyond Odoo (sales module). Gap: headless storefront.

#### Medusa — Headless Commerce (REST) | **P1**

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Shopify Plus API, BigCommerce headless, WooCommerce |
| **License** | MIT |
| **Stars** | 27k+ |
| **API** | REST — 90% coverage. Dual-endpoint (Store APIs + Admin APIs). Products (CRUD, bulk import, variants), orders (creation, fulfillment, payment, status), customers, carts/checkout, inventory (multi-warehouse), promotions, payments (Stripe, PayPal, custom), shipping. Auth: Bearer token/session. |
| **API Gaps** | Limited webhook filtering. No delivery guarantees on webhooks. Batch operation size limits. |
| **SSO** | ⚠️ OAuth2 available via custom auth modules (Okta, Google, Azure documented). Not built-in. |
| **Keycloak** | ⚠️ Possible via custom plugin (medium complexity). Plugin architecture supports it. |
| **Why include** | **Most complete REST e-commerce API.** JavaScript/Node.js native (TypeScript). Multi-channel (web, mobile, B2B, marketplace). Modular plugin system. Real-time inventory sync. Multi-warehouse. Developer SDK. 27k stars = large community. |
| **AI can do** | Manage entire store: products, orders, customers, inventory, payments, shipping, promotions. |
| **AI cannot do** | Complex SSO (requires plugin). Frontend rendering (headless = BYO frontend). |
| **Priority rationale** | P1 — essential e-commerce backbone. REST API is more AI-friendly than Saleor's GraphQL. |

#### Saleor — Headless Commerce (GraphQL) | **P1** (upgraded from P2)

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Shopify Plus, commercetools |
| **License** | BSD-3 |
| **Stars** | 21k+ |
| **API** | GraphQL-first — 85% coverage. Full mutations for products/variants, orders, customers, cart/checkout, inventory, promotions, taxes (multi-jurisdiction), webhooks (event-driven). Auth: OIDC (external provider) + API tokens. |
| **API Gaps** | GraphQL learning curve steeper than REST. Limited subscription management. Bulk operation performance limits. |
| **SSO** | ✅ **OIDC built-in** — configurable via dashboard. Turnkey Keycloak via OIDC plugin. |
| **Keycloak** | ✅ **Fully supported** — native OIDC plugin integration. |
| **Why include** | **Superior SSO/Keycloak vs. Medusa.** Enterprise-grade tax/shipping rules (multi-jurisdiction). GraphQL enables efficient batching for complex queries. Python/Django backend enables data science teams. Event-driven webhook architecture. |
| **AI can do** | Same as Medusa: full store management. GraphQL batching enables more efficient complex queries. |
| **AI cannot do** | Simple REST calls (GraphQL adds complexity). |
| **Priority rationale** | Upgraded to P1 — **Offer both Medusa (REST, simpler) and Saleor (GraphQL, SSO-native, enterprise).** Let the customer choose based on their needs. This is a justified overlap: different API paradigms and different SSO stories. |

---

### 3.10 Low-Code App Builders

Current coverage: NocoDB (spreadsheet UI). Gap: full low-code app builder. Windmill removed (managed service prohibition). *(Baserow was evaluated but excluded — NocoDB covers the no-code database niche.)*

#### ToolJet — Low-Code Platform (AI-Native) | **P1** (upgraded from P2)

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Retool, Appsmith, Internal.io |
| **License** | AGPL-3.0 |
| **Stars** | 33k+ |
| **API** | REST + JavaScript/Python — 90% coverage. Application management, workflow automation (60+ components), user/team management, database queries (ToolJet Database = PostgreSQL-based), API integrations (custom REST, GraphQL, gRPC). **75+ data source connectors.** **Native AI agents (Agent Node) + LLM integration (GPT, Hugging Face).** API key auth. Webhook/cron triggers. |
| **API Gaps** | None significant for AI agents. Mature feature set. |
| **SSO** | ✅ **Native OIDC** — explicit Keycloak support documented. Authorization Code + PKCE flows. |
| **Keycloak** | ✅ **Fully supported** — dedicated setup guide. |
| **Why include** | **Best low-code platform for AI agents in 2026.** Native LLM integration. 75+ data sources. Multiplayer editing. AI app generation from natural language. JavaScript/Python for custom logic. Community edition = unlimited users. |
| **AI can do** | Build internal tools, connect to databases, create UIs, run automations, manage users. Native AI agent capabilities. |
| **AI cannot do** | Nothing significant — most AI-ready low-code platform. |
| **Priority rationale** | Upgraded to P1 — **primary low-code choice over Budibase** due to superior AI agent maturity, more connectors, and multiplayer editing. |

#### ~~Budibase~~ — **REMOVED** (was P2)

| Attribute | Detail |
|-----------|--------|
| **Status** | **License incompatible with managed service deployment.** |
| **Why removed** | Self-hosted terms (updated Feb 2025) explicitly prohibit "providing the source-available software to third parties as a hosted or managed service where the service provides users with access to any substantial set of the features or functionality of the software." Direct conflict with LetsBe's model. Also has 20-user limit on free tier. |

#### ~~AppFlowy~~ — **REMOVED** (was P2)

| Attribute | Detail |
|-----------|--------|
| **Why removed** | **No public REST/GraphQL API** (GitHub issue #1013 still open). AI agent readiness: 0/10. No SSO support. Local-first architecture conflicts with centralized AI agent management. 60k stars but not enterprise-ready for our use case. **Revisit when public API ships.** |

---

### 3.11 Communication — Extended

Current coverage: Stalwart Mail (email server), Chatwoot (customer chat), Listmonk (newsletters). Gap: internal team messaging.

#### Rocket.Chat — Team Messaging | **P1**

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Slack, Microsoft Teams |
| **License** | MIT |
| **Stars** | 41k+ |
| **API** | REST + Realtime (DDP) — 90% coverage. Messages, channels, users, rooms, bots, file uploads/downloads, admin operations. Real-time via DDP alongside REST. Configurable rate limiter with x-ratelimit headers (bypassable with `api-bypass-rate-limit` permission). Token-based + OAuth auth. |
| **API Gaps** | Some admin operations are complex. Rate limiting configuration non-trivial. |
| **SSO** | ✅ **OIDC + SAML both supported** — auto-group mapping to rooms. Role synchronization (Merge Roles from SSO). RSA_SHA1 signature algorithm for SAML. |
| **Keycloak** | ✅ **Fully supported** — battle-tested with detailed setup guides. Group mapping + role sync. |
| **Why include** | **Best messaging option for privacy-first platform.** Built-in E2EE (end-to-end encryption). 180+ custom permissions. Advanced threads. Live chat widget for external communication. Omnichannel capabilities. White-labeling. Most mature, actively developed (19 GSoC 2025 projects). |
| **AI can do** | Send/read messages, manage channels, manage users, bots, file sharing, search, admin operations. |
| **AI cannot do** | Some advanced admin configuration (UI-only). |
| **Priority rationale** | P1 — critical for internal communications. E2EE + Keycloak + comprehensive API. |

#### Mattermost — DevOps-Focused Messaging | **P2**

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Slack (for dev teams), Microsoft Teams |
| **License** | MIT (Team) + Proprietary (Enterprise) |
| **Stars** | 31k+ |
| **API** | REST (OpenAPI-spec) — 80% coverage. Channels, posts, users, teams, files, plugins. Plugin architecture extends API. Rate limiting with X-Ratelimit headers (not intended for >500 users). |
| **API Gaps** | Rate limiting limitations at scale. No real-time protocol as clean as Rocket.Chat's DDP. |
| **SSO** | ✅ **OIDC + SAML 2.0** — Keycloak, Okta, Azure, Auth0, etc. |
| **Keycloak** | ✅ **Supported** — requires client mappers for OIDC compatibility. SAML uses RSA_SHA1. |
| **Why include** | Developer-centric: GitHub/GitLab/Jira/Jenkins playbooks. Playbooks for incident response. Boards for project management. Better for engineering teams. |
| **AI can do** | Send/read posts, manage channels/teams, file uploads, search, plugin interactions. |
| **AI cannot do** | **No end-to-end encryption** (only in-transit/at-rest). Less privacy-forward than Rocket.Chat. |
| **Priority rationale** | P2 — strong alternative for DevOps-heavy teams. Less privacy-first than Rocket.Chat. |

#### Element/Synapse — Federated Messaging | **P3** (downgraded)

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Slack (decentralized), Signal |
| **License** | AGPL-3.0 (changed from Apache-2.0 in 2023, Synapse v1.99+) |
| **Stars** | 11k+ (Synapse) |
| **API** | Matrix Client-Server API (v1.14+) — 70% coverage. Messages, rooms, users, sync, file uploads. Protocol-level API (less business-logic than Rocket.Chat/Mattermost). |
| **API Gaps** | Slower API evolution (protocol-bound). Less business-logic endpoints. More operational complexity (federation requires DNS/reverse proxy). |
| **SSO** | ⚠️ **OIDC transitioning** — Matrix Authentication Service (MAS) moving to industry-standard OAuth2/OIDC. Not fully native yet. |
| **Keycloak** | ⚠️ Possible via MAS but not production-ready for all clients. |
| **Why include** | Federation = communicate across homeservers (unique). E2EE by default. Open protocol. Used by German healthcare (Ti-Messenger) — credibility signal. Long-term strategic investment. |
| **Priority rationale** | Downgraded to P3 — API maturity lag, federation complexity, OIDC still transitioning. Strategic long-term but not production-ready for our v1. |

---

### 3.12 Scheduling & Booking — Extended

Current coverage: Cal.com (excellent). Gap: none critical.

#### Easy!Appointments — Appointment Scheduling | **P3**

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Calendly (basic), Acuity Scheduling |
| **License** | GPL-3.0 |
| **Stars** | 3.3k+ |
| **API** | REST — 80% coverage. Appointments CRUD, services, staff, customers. Google Calendar bidirectional sync. OpenAPI/Swagger UI. No rate limits documented. |
| **API Gaps** | Narrow business logic (appointment-only). No employee scheduling beyond availability. |
| **SSO** | ❌ **No SSO support** — local username/password only. Would require oauth2-proxy wrapper. |
| **Keycloak** | ❌ Not supported. |
| **Why include** | Niche appointment booking with Google Calendar sync. Lightweight PHP backend. Embedded booking widget. |
| **Priority rationale** | P3 — Cal.com already covers scheduling excellently. No SSO is a gap. Only add if specific appointment-booking workflow needed beyond Cal.com. |

---

### 3.13 Backup & Storage

Current coverage: MinIO (object storage), Netcup snapshots. Gap: application-level backup management.

#### Duplicati — Encrypted Backup | **P2**

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Backblaze Personal, Carbonite, Acronis |
| **License** | MIT (changed from LGPL-2.1 in March 2024) |
| **Stars** | 11k+ |
| **API** | REST — 60% coverage. Backup management, scheduling, restoration via `/api/v1/*` endpoints. CLI has more options than API. Retention policies (--keep-time, --keep-versions). |
| **API Gaps** | API primarily for UI integration, not full lifecycle automation. CLI more powerful. |
| **SSO** | ⚠️ **OIDC is Enterprise feature only** (requires paid license). Open-source version: no SSO. |
| **Keycloak** | ⚠️ Enterprise only. |
| **Why include** | Supports any cloud backend (B2, S3, Azure, Google Drive). **Client-side encryption** (zero-knowledge backups). Deduplication + compression. Incremental backups. Critical for backup/DR in privacy-first platform. |
| **AI can do** | Schedule backups, monitor status, trigger restoration. |
| **AI cannot do** | Complex restore operations (CLI better). SSO login on open-source. |
| **Priority rationale** | P2 — critical infrastructure but API limitations and SSO paywall are concerns. Consider for infrastructure tier (not customer-facing). |

---

### 3.14 Media & Asset Management

Current coverage: Nextcloud (files), MinIO (storage). Gap: media-specific management.

#### Immich — Photo/Video Management | **P2**

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Google Photos, Amazon Photos, Apple iCloud |
| **License** | AGPL-3.0 |
| **Stars** | 55k+ |
| **API** | REST (OpenAPI) — 90% coverage. Upload, organize, search, tag, share, facial recognition. Fine-grained API key permissions (asset.read/upload, album.read/write, library.read, user.read). External library support. Partner sharing. Auto-generated TypeScript + Dart SDKs. |
| **API Gaps** | None significant for photo/video operations. |
| **SSO** | ✅ **OIDC native** via Keycloak. Also works with Authelia, authentik. |
| **Keycloak** | ✅ **Supported** — known issue: mobile app OAuth has code verifier errors with Keycloak (web works reliably). |
| **Why include** | Self-hosted Google Photos replacement. AI-powered search + facial recognition. Timeline/memories. Mobile apps (iOS/Android). Privacy-first: all media on-premise. 55k stars = fastest growing project in catalog. |
| **AI can do** | Upload, organize, search (including ML-powered), tag, share, manage albums, manage libraries. |
| **AI cannot do** | Mobile SSO (web-only OIDC currently reliable). |
| **Priority rationale** | P2 — excellent tool but photo/video management isn't core SMB workflow. Critical for privacy-conscious teams replacing Google Photos. |

#### Paperless-ngx — Document Management | **P2**

| Attribute | Detail |
|-----------|--------|
| **Replaces** | Evernote, OneNote, Google Drive (document management), Adobe Scan |
| **License** | GPL-3.0 |
| **Stars** | 23k+ |
| **API** | REST (versioned v1, v2+) — 80% coverage. Document upload, OCR (Tesseract, 100+ languages), search, tag, organize by correspondent/type, bulk operations. Granular permissions. Consumption workflows (auto-classify). Auth: session, API tokens, username/password. |
| **API Gaps** | OIDC integration less polished than native implementations. Setup requires specific env vars. |
| **SSO** | ✅ **OIDC via django-allauth** (v2.5.0+). Also supports HTTP_REMOTE_USER header auth for reverse-proxy SSO. |
| **Keycloak** | ✅ **Supported** — requires PAPERLESS_APPS + PAPERLESS_SOCIALACCOUNT_PROVIDERS configuration. |
| **Why include** | **OCR-first workflow** — turns scanned PDFs into searchable archives. AI auto-tagging with machine learning. Nested tag hierarchies. Consumption templates (automated workflow rules). Purpose-built for document digitization. |
| **AI can do** | Upload documents, trigger OCR, search full-text, manage tags/correspondents, bulk operations, auto-classify. |
| **AI cannot do** | Complex OIDC setup is less seamless than BookStack/Outline. |
| **Priority rationale** | P2 — strong for document digitization. Not every SMB needs this but very valuable for paper-heavy businesses. |

---

## 4. Priority Summary

### P1 — High Priority (10 tools, first expansion wave)

These fill the biggest gaps, have the strongest APIs for AI automation, and support Keycloak SSO:

| Domain | Tool | API Score | SSO/Keycloak | What It Unlocks |
|--------|------|-----------|-------------|----------------|
| CRM | **EspoCRM** | 90% (REST) | ✅ Native OIDC | **Primary CRM. Native Keycloak.** Email sending API. Enterprise-ready. |
| Accounting | **Bigcapital** | 85% (REST) | ⚠️ Proxy needed | Only OSS double-entry accounting with full API. **Replaces both Invoice Ninja and Akaunting.** |
| Project Mgmt | **Plane** | 95% (REST) | ✅ Native OIDC | Best PM API + Keycloak. SDKs in Node.js/Python |
| Knowledge Base | **BookStack** | 95% (REST) | ✅ OIDC + SAML | Highest KB API. Structured hierarchy. MIT license |
| Helpdesk | **Zammad** | 95% (REST) | ✅ OIDC + SAML | "API First" — 100% ticket lifecycle via API |
| Forms/Surveys | **Formbricks** | 95% (REST) | ✅ SAML | Conditional logic API. Privacy-first. |
| E-Commerce | **Medusa** | 90% (REST) | ⚠️ Plugin needed | Best REST e-commerce API. Multi-warehouse |
| E-Commerce | **Saleor** | 85% (GraphQL) | ✅ Native OIDC | Enterprise SSO. Multi-jurisdiction tax/shipping |
| Low-Code | **ToolJet** | 90% (REST+JS/Py) | ✅ Native OIDC | Native AI agents. 75+ connectors. Multiplayer |
| Team Messaging | **Rocket.Chat** | 90% (REST+DDP) | ✅ OIDC + SAML | E2EE. Group/role sync. Most mature messaging |

Adding P1 tools brings the catalog from **28 → 38 tools**.

**SSO summary for P1:** 8 of 10 have native Keycloak support. The remaining 2 (Bigcapital, Medusa) can use oauth2-proxy sidecar or plugin integration. **Note:** Stalwart Mail (current tool) also has native OIDC/Keycloak.

### P2 — Medium Priority (10 tools, second expansion wave)

| Domain | Tool | API Score | SSO/Keycloak |
|--------|------|-----------|-------------|
| CRM | Corteza | 70% | ✅ OIDC + SAML |
| Project Mgmt | Leantime | 70% (JSON-RPC) | ✅ OIDC |
| Project Mgmt | Vikunja | 75% | ✅ OIDC |
| Project Mgmt | OpenProject | 90% (HATEOAS) | ✅ OIDC + SAML |
| Knowledge Base | Wiki.js | 40% (GraphQL) | ✅ OIDC |
| Helpdesk | FreeScout | 80% | ✅ SAML |
| Team Messaging | Mattermost | 80% | ✅ OIDC + SAML |
| Marketing | Dub | 80% | ❌ Self-hosted |
| Marketing | Mixpost | 70% | ❌ |
| HR | OrangeHRM | 85% | ✅ OIDC |

Adding P2 tools brings the catalog from **38 → 48 tools**.

### P2 — Infrastructure/Media tier (4 tools)

| Domain | Tool | API Score | SSO/Keycloak |
|--------|------|-----------|-------------|
| Surveys | LimeSurvey | 80% (JSON-RPC) | ⚠️ Plugin |
| Backup | Duplicati | 60% | ✅ (MIT now) |
| Media | Immich | 90% | ✅ OIDC |
| Documents | Paperless-ngx | 80% | ✅ OIDC |

Adding these brings the catalog from **48 → 52 tools**.

### P3 — Lower Priority (3 tools)

| Domain | Tool | Reason |
|--------|------|--------|
| Marketing | Shlink | Dub is superior; no SSO; no webhooks |
| Scheduling | Easy!Appointments | Cal.com already covers; no SSO |
| Communication | Element/Synapse | AGPL-3.0 (changed from Apache); federation complexity |

Adding P3 tools: **52 → 55 tools**.

### REMOVED from catalog — License Incompatible (16 tools)

| Tool | Was | Reason |
|------|-----|--------|
| n8n | Current | **Sustainable Use License** — prohibits hosting as part of paid service |
| Poste.io | Current | **Proprietary** — "No Software may be used by, or pledged or delivered to, any third party." **Replaced by Stalwart Mail (AGPL-3.0).** |
| Windmill | Current | **AGPL + additional restriction** — "cannot sell, resell, serve as managed service" |
| Typebot | Current | **Fair Source License (FSL)** — prohibits competing products (changed from AGPL in 2024) |
| Invoice Ninja | Current | **Elastic License 2.0** — prohibits providing as "hosted or managed service" (not AGPL as listed) |
| Twenty | Expansion P1 | **Dual-licensed** — enterprise files required for production use, commercial license needed |
| Outline | Expansion P1 | **BSL 1.1** — prohibits "Document Service" (commercial doc platform). Converts to Apache 2.0 in Jan 2030 |
| Akaunting | Expansion P2 | **BSL** — prohibits providing "to third parties as an Accounting Service" (not GPL as listed) |
| Budibase | Expansion P2 | **Self-hosted terms** — explicitly prohibit "hosted or managed service" (updated Feb 2025) |
| Crater | Expansion | **Project abandoned** (Aug 2023). Security risk. |
| Focalboard | Expansion | **Maintenance uncertain.** No SSO. API 50%. |
| Peppermint | Expansion | **No API documentation.** No SSO. |
| Heyform | Expansion | **No API for AI agents.** No SSO. |
| LinkStack | Expansion | **No API at all** (0/10). No SSO. UI-only. |
| AppFlowy | Expansion | **No public API** (issue #1013). No SSO. |
| AFFiNE | Expansion | **No public REST/GraphQL API**. No SSO. |

---

## 5. Resource Profiles

Each tool consumes different amounts of RAM, CPU, and disk. This affects which tier (Lite/Build/Scale/Enterprise) can run them.

### Lightweight (<256 MB RAM)
Umami, Uptime Kuma, Shlink, Dub, GlitchTip, Listmonk, Static HTML, Diun, Vaultwarden, Vikunja, Easy!Appointments

### Medium (256–512 MB RAM)
Gitea, Drone CI, NocoDB, Ghost, Cal.com, Chatwoot, Activepieces, Documenso, Redash, Stalwart Mail, Formbricks, BookStack, FreeScout, Mixpost, Paperless-ngx, EspoCRM

### Heavy (512 MB–1 GB RAM)
WordPress, Nextcloud, MinIO, Penpot, Squidex, LibreChat, Odoo, Keycloak, Portainer, Wiki.js, Bigcapital, OpenProject, Plane, Zammad, Rocket.Chat, ToolJet, Leantime, Duplicati, Immich

### Very Heavy (1 GB+ RAM)
Mattermost, Element/Synapse, Medusa, Saleor, OrangeHRM, LimeSurvey, Corteza

**Tier mapping (approximate):**

| Tier | Server RAM | Recommended Max Tools | Notes |
|------|-----------|----------------------|-------|
| Lite | 8 GB | 8-10 lightweight + medium | Core + a few business tools |
| Build | 16 GB | 15-20 mixed | Most common business stack |
| Scale | 32 GB | 25-30 mixed | Full platform, multiple heavy tools |
| Enterprise | 64 GB | 35+ including very heavy | Everything, including Rocket.Chat + PM + full ERP |

---

## 6. AI Agent Integration Assessment

Based on deep API research, here's the updated integration surface:

### Tier 1: Full AI Automation (90%+ API coverage — agents do everything)
EspoCRM (REST, email API), Plane (REST, SDKs), BookStack (REST, 95%), Zammad (REST, "API First"), Formbricks (REST, conditional logic API), Medusa (REST, dual-endpoint), Rocket.Chat (REST+DDP), ToolJet (REST+JS/Py, native AI agents), Immich (REST, OpenAPI SDKs), NocoDB, Gitea, Cal.com, Chatwoot, Listmonk, Umami, Activepieces

### Tier 2: Strong AI Automation (70-89% — agents do core tasks, minor UI gaps)
Stalwart Mail (REST Management API, 80%), Saleor (GraphQL, 85%), OrangeHRM (REST, 85%), Bigcapital (REST, 85%), OpenProject (REST/HATEOAS, 90%), FreeScout (REST, 80%), Dub (REST, 80%), Paperless-ngx (REST, 80%), LimeSurvey (JSON-RPC, 80%), Vikunja (REST, 75%), Mixpost (REST, 70%), Leantime (JSON-RPC, 70%), Corteza (REST, 70%)

### Tier 3: Partial AI Automation (40-69% — significant UI interaction still needed)
Odoo (REST+XML-RPC), WordPress (REST), Nextcloud (WebDAV+OCS), Ghost (Content+Admin API), Keycloak (Admin REST), Penpot (limited), Redash (queries/dashboards), Duplicati (REST, 60%), Wiki.js (GraphQL, 40%), Shlink (REST, 60%)

### Tier 4: Minimal/No API (agents cannot effectively operate)
Portainer, Uptime Kuma, GlitchTip, Vaultwarden, Static HTML, Diun, Mattermost (Bot API), Element/Synapse (Matrix API), Easy!Appointments (REST but no SSO)

---

## 7. SSO / Keycloak Compatibility Matrix

| Tool | OIDC | SAML | Keycloak Tested | Group/Role Sync | Notes |
|------|------|------|-----------------|-----------------|-------|
| **Stalwart Mail** | ✅ Native (v0.11.5+) | ❌ | ✅ Yes | — | OIDC open-sourced under AGPL. OAUTHBEARER SASL. |
| **EspoCRM** | ✅ Native | ❌ | ✅ Yes | ✅ Auto-team mapping | Best CRM SSO. Primary CRM. |
| **Corteza** | ✅ Native | ✅ Native | ✅ Yes | — | Best overall SSO (OIDC+SAML) |
| **Plane** | ✅ Native | ❌ | ✅ Yes | — | Via God Mode |
| **BookStack** | ✅ Native | ✅ Native | ✅ Yes | — | Token refresh issue workaround |
| **Zammad** | ✅ Native (v6.5+) | ✅ Native | ✅ Yes | ✅ Role sync | Most enterprise-ready |
| **Rocket.Chat** | ✅ Native | ✅ Native | ✅ Yes | ✅ Group→room, role sync | Best messaging SSO |
| **Saleor** | ✅ Native | ❌ | ✅ Yes | — | Turnkey OIDC plugin |
| **ToolJet** | ✅ Native | ❌ | ✅ Yes | — | Auth Code + PKCE |
| **OrangeHRM** | ✅ Native | ⚠️ Custom | ✅ Yes | — | via Starter edition |
| **Mattermost** | ✅ Native | ✅ Native | ✅ Yes | ⚠️ Mappers needed | Requires claim transforms |
| **OpenProject** | ✅ Native (v15+) | ✅ Enterprise | ✅ Yes | ✅ Group sync | Most robust PM SSO |
| **Vikunja** | ✅ Native | ❌ | ✅ Yes | ✅ Team from claims | First-class Keycloak support |
| **Leantime** | ✅ Native | ❌ | ✅ Yes | — | + LDAP support |
| **Wiki.js** | ✅ Native | ⚠️ Undoc | ✅ Yes | ❌ No group sync | |
| **Immich** | ✅ Native | ❌ | ✅ Yes | — | Mobile SSO has issues |
| **Paperless-ngx** | ✅ django-allauth | ❌ | ✅ Yes | — | Requires env config |
| **Formbricks** | ⚠️ Pending | ✅ SAML | ✅ via SAML | — | OIDC in roadmap |
| **FreeScout** | ❌ | ✅ Module | ⚠️ via SAML | — | Plugin-based |
| **LimeSurvey** | ⚠️ Plugin | ⚠️ Plugin | ⚠️ via plugin | — | 3rd-party OAuth2 plugin |
| **Bigcapital** | ❌ | ❌ | ❌ | — | oauth2-proxy workaround |
| **Medusa** | ⚠️ Plugin | ❌ | ⚠️ via plugin | — | Custom auth module |
| **Dub** | ❌ (self-hosted) | ❌ | ❌ | — | Cloud-only SAML |
| **Mixpost** | ❌ | ❌ | ❌ | — | Laravel Sanctum only |
| **Duplicati** | ✅ (MIT now) | ❌ | ✅ Likely | — | License changed to MIT March 2024 |

**Summary:** Stalwart Mail (current) has native OIDC/Keycloak. Of the 27 expansion tools, 16 have native or tested Keycloak support (including Mattermost), 4 more can use proxy/plugin workarounds, and 7 have no SSO story.

---

## 8. Category Dependencies and Recommendations

When a customer selects their tools during onboarding, the system recommends complementary tools:

| If customer selects... | Also recommend... | Reason |
|----------------------|-------------------|--------|
| Any CRM (EspoCRM, Odoo CRM) | Bigcapital | CRM without invoicing/accounting is half a workflow. Bigcapital covers both invoicing + accounting. |
| Any PM tool (Plane, Leantime, OpenProject) | BookStack or Wiki.js | Projects need documentation |
| Any CMS (Ghost, WordPress) | Umami | Content without analytics is flying blind |
| Chatwoot | Zammad | Real-time chat + structured tickets = full support stack |
| Listmonk | Formbricks | Email campaigns + surveys = full feedback loop |
| Gitea | Drone CI | Code hosting without CI is incomplete |
| Any team messaging (Rocket.Chat) | Cal.com | Team chat + scheduling = coordinated team |
| Any e-commerce (Medusa or Saleor) | Bigcapital, Dub | Selling needs accounting and link tracking |
| Any low-code (ToolJet) | Rocket.Chat, Plane | Internal tools need communication + PM |
| OrangeHRM | Rocket.Chat, Cal.com | HR needs scheduling + team communication |

---

## 9. Licensing Notes

**All remaining tools use OSI-approved open source licenses** compatible with managed service deployment. v2.1 audit removed all tools with source-available, BSL, Elastic, Fair Source, Sustainable Use, or proprietary licenses.

**AGPL compliance policy:** We deploy unmodified upstream Docker images. AGPL requires source availability to network users only if the code is modified. Since we don't modify code and customers have SSH access to their servers, we are naturally compliant. If we ever patch an AGPL tool, we must make modified source available.

Notable license nuances:

| Tool | License | Notes |
|------|---------|-------|
| **Odoo** | LGPL-3.0 (Community) | Community Edition only. Enterprise Edition is proprietary — do not deploy Enterprise modules. |
| **Mattermost** | MIT (Team) + Proprietary (Enterprise) | Team Edition only. Enterprise features not included. Verify no EE components in Docker image. |
| **Saleor** | BSD-3 | Most permissive license in catalog. No restrictions. |
| **ToolJet** | AGPL-3.0 | Community Edition unlimited users. Enterprise features separate. Deploy CE only. |
| **EspoCRM** | AGPL-3.0 | Changed from GPL-3.0 in v8.1. Standard AGPL — no additional restrictions. |
| **Rocket.Chat** | MIT (Community) + Proprietary (EE) | Deploy Community Edition only. Verify no EE components. |
| **Duplicati** | MIT | Changed from LGPL-2.1 in March 2024. Fully permissive now. |
| **Stalwart Mail** | AGPL-3.0 | Dual-licensed (AGPL + SELv1 Enterprise). Deploy community edition under AGPL. OIDC open-sourced in v0.11.5. |
| **Immich** | AGPL-3.0 | Changed from MIT in 2024. Still compatible with our model. |
| **Element/Synapse** | AGPL-3.0 | Changed from Apache-2.0 in 2023 (Synapse v1.99+). Compatible with our model. |
| **Formbricks** | AGPL-3.0 | Core is AGPL. Enterprise features in `/ee` folder under separate license — deploy core only. |
| **Documenso** | AGPL-3.0 | Open core — EE folder has separate license. Deploy community features only. |

---

## 10. Open Questions

| # | Question | Status | Notes |
|---|----------|--------|-------|
| 1 | n8n license | Resolved | **Removed.** Sustainable Use License prohibits managed service deployment. |
| 2 | Outline BSL | Resolved | **Removed.** BSL prohibits Document Service. Converts to Apache 2.0 in Jan 2030. |
| 3 | Tool resource profiling | Open | Actual RAM/CPU measurements needed via load testing |
| 4 | AI agent integration prioritization | Open | Which tools get OpenClaw MCP integrations first? Recommended: EspoCRM, Plane, Zammad, BookStack, Rocket.Chat, Bigcapital |
| 5 | Tool update strategy | Open | How do we handle upstream tool updates? |
| 6 | Maximum tool count per tier | Open | Need benchmarks per Netcup server tier |
| 7 | Email server replacement | Resolved | **Stalwart Mail (AGPL-3.0) selected.** All-in-one: SMTP, IMAP, JMAP, POP3, CalDAV, CardDAV, WebDAV. Native OIDC/Keycloak (v0.11.5+). Management REST API. Built-in DKIM/SPF/DMARC/ARC. Written in Rust. Added to current tools. |
| 8 | Default CRM | Resolved | **EspoCRM is primary** (native Keycloak, email API). Twenty removed (commercial license required). |
| 9 | Medusa vs. Saleor as default e-commerce | Open | Medusa (REST, simpler) vs. Saleor (GraphQL, native SSO). Both kept — justified overlap. |
| 10 | ToolJet vs. Budibase | Resolved | **ToolJet is primary.** Budibase removed (managed service prohibition in self-hosted terms). |
| 11 | oauth2-proxy deployment pattern | Open | Need standard pattern for tools without native SSO (Bigcapital, Medusa). |
| 12 | Automation tool gap | **Important** | Only Activepieces (MIT) remains for workflow automation. Evaluate adding more: **Automatisch** (AGPL-3.0, Zapier alternative), or confirm Activepieces covers enough. n8n, Windmill, Typebot all removed. |
| 13 | Invoicing + accounting replacement | Resolved | **Bigcapital (AGPL-3.0, P1) covers both Invoice Ninja and Akaunting gaps.** Invoicing with customizable templates + full double-entry accounting + inventory. Also available: **InvoiceShelf** (AGPL-3.0, Docker) as a lighter invoicing-only alternative. Odoo invoicing module is interim until P1 deployment. |
| 14 | Conversational form builder replacement | Open | Typebot removed (FSL). Evaluate: **Chatwoot bot flows**, **Botpress** (MIT), or custom Activepieces flows. |
| 15 | Legal framing for OSS deployment | **Resolved** | **ToS v1.1 §2.3 and §7.2 updated with full infrastructure-provider language.** LetsBe framed as infrastructure management and AI orchestration provider, not software vendor. Customer is licensee, unmodified upstream Docker images, full SSH + credentials, enterprise licenses direct from vendors, tool list published on website. Foundation Document decision #39 aligned. |

---

## 11. Changelog

| Version | Date | Changes |
|---------|------|---------|
| 1.0 | 2026-02-26 | Initial catalog. 31 current tools. 36 expansion candidates across 14 domains. |
| 1.1 | 2026-02-26 | Catalog philosophy. Invoice Ninja to current (32). Baserow/IceHRM removed. Overlap notes. |
| 2.0 | 2026-02-26 | **Deep research evaluation of all expansion candidates.** Every tool evaluated for API completeness, SSO/Keycloak support, and strategic justification. 7 tools removed for API/maintenance issues. SSO compatibility matrix (§7) and AI Agent Integration Assessment (§6) added. |
| 2.1 | 2026-02-26 | **Comprehensive license audit.** Verified every tool's license for managed service compatibility. **9 additional tools removed** for license violations: n8n (Sustainable Use), Poste.io (Proprietary), Windmill (managed service prohibition), Typebot (Fair Source), Invoice Ninja (Elastic License 2.0), Twenty (commercial license for production), Outline (BSL Document Service restriction), Akaunting (BSL accounting service restriction), Budibase (managed service prohibition). **License corrections:** EspoCRM GPL→AGPL-3.0, Element/Synapse Apache→AGPL-3.0, OrangeHRM GPL-2.0→GPL-3.0, Duplicati LGPL→MIT. Selection criteria updated to explicitly exclude BSL/Sustainable Use/Elastic/FSL licenses. Current tools: 32→27. Expansion: 30→27 (P1: 10, P2: 10+4 infra, P3: 3). Full path: 27→37→51→55. Watchtower noted as archived (Dec 2025). |
| 2.2 | 2026-02-26 | **Replacements + final sweep.** Added **Stalwart Mail** (AGPL-3.0) as current tool replacing Poste.io — all-in-one mail server with native OIDC/Keycloak, Management REST API, Rust-based. Current tools: 27→28. Typebot noted as retained for internal/team use (not customer-facing). Invoice Ninja + Akaunting gaps resolved: **Bigcapital** (P1) covers both invoicing and double-entry accounting; **InvoiceShelf** (AGPL-3.0) noted as lighter alternative. Section headers updated to reflect current coverage post-removals. **Final comprehensive license sweep** of all 28 current + 27 expansion tools: all remaining licenses confirmed compatible with managed service model. Open Questions #7 (email server) and #13 (invoicing+accounting) resolved. **Count corrections:** P1 header 9→10 (Saleor was P1 since v2.0), P2 main 9→10 (Mattermost was missing from summary table). Full path: 28→38→52→55. |

---

*This document should be updated as tools are added, removed, or reclassified. Resource profiles should be validated with actual benchmarks before launch.*