Competitive Intelligence — Index & Moat Thesis
The front door to the lab's competitor knowledge. NAO's directive (2026-06-21): capture what the top competitors actually ship, in detail, once — so no agent re-researches it. This note is the map; the dossiers hold the detail. Updated when a market moves.
The corpus (read by cluster)
| Dossier | Covers | File |
|---|---|---|
| Canonical matrix | 39 platforms × 16/10/9-category frameworks, 0–5 self-assessment | `competitive-matrix-2026-06-21` |
| CX AI incumbents | Intercom Fin/Apex, Sierra, Decagon, Ada, Zendesk AI, Forethought, Kustomer | `competitor-dossier-cx-ai-incumbents-2026-06-21` |
| SMB widgets | Chatbase, Tidio/Lyro, Voiceflow, Botpress, Chatbot.com, Crisp, Landbot, ManyChat | `competitor-dossier-smb-widgets-2026-06-21` |
| Voice AI | ElevenLabs, Retell, Vapi, Bland, PlayAI, Deepgram, Cartesia, LiveKit | `competitor-dossier-voice-ai-2026-06-21` |
| Avatar / digital-human | Tavus, HeyGen, D-ID, Synthesia, Hedra, Soul Machines, UneeQ, Simli | `competitor-dossier-avatar-platforms-2026-06-21` |
| Backend / BaaS | Supabase, Firebase, Appwrite, Convex, Hasura, Encore, NestJS, Laravel, Next | `competitor-dossier-backend-baas-2026-06-21` |
| Auth / identity | WorkOS, Clerk, Auth0, Stytch, Supabase Auth, Keycloak, Ory, FusionAuth, Logto, Zitadel | `competitor-dossier-auth-identity-2026-06-21` |
Related internal decisions (in openalice/docs/): laravel-features-to-adopt-2026-06-21 (Pennant/Queues/Context/Precognition adopt list), backend-sota-security-backlog-2026-06-21 (the prioritized build backlog with the audit-confirmed "already SOTA" notes).
Adjacent clusters (beyond the Embed/CX core above):
| Cluster | Covers | File |
|---|---|---|
| Social / sovereign comms | UnCorded teardown + the self-hosted Discord-alt landscape (Stoat/Spacebar/Matrix/Mattermost/Rocket.Chat/Zulip) + Moltbook; lessons for openalice-social | `uncorded-teardown-2026-06-29` (Alex, 2026-06-29) |
| Agentic auth / identity | WorkOS auth.md ("sign-up for agents") + the agent-auth standards race (MCP-auth / ID-JAG / Descope / Auth0) + OpenAlice integration path (publish / consume / ID-JAG-issue, EU-sovereign) | `workos-auth-md-2026-06-30` (Alex, 2026-06-30) |
| Agent-era standards stack | The full agent-protocol landscape — payments (x402/AP2/ACP/UCP), MCP/A2A, identity/discovery, EU AI Act Art.50, OWASP/AAIF/SAFE-MCP — ranked track / adopt / ignore / comply for us | `agent-standards-landscape-2026-06-30` (Alex, 2026-06-30) |
The moat thesis (why we win)
Across all six clusters, no competitor combines the three axes we already hold:
- Embodied 3D avatar (three.js / three-vrm, voice-synced) — the avatar leaders (Tavus, HeyGen, D-ID) have best-in-class embodiment but no platform layer (no analytics, HITL inbox, A/B, proactive, lead capture — "build it yourself via webhooks").
- ON a full conversational platform — the platform leaders (Intercom, Sierra, Decagon, Ada, Zendesk) have deep platforms but zero avatar/embodiment, and are US-cloud-only, enterprise-priced ($30K–$1.5M/yr), no self-host.
- EU-sovereign self-host — WorkOS is US-only; Clerk/Auth0/Stytch/Firebase/Convex are cloud-only (US-HQ → CLOUD Act). Only Supabase/Keycloak/Ory/Zitadel/Appwrite/Hasura/Encore self-host. We run a Rust stack in EU (Hetzner), own keys, no SaaS auth dependency — and already ship SAML 2.0 SSO + SCIM 2.0, which most SMB rivals lack.
(embodied avatar) × (full platform) × (EU-sovereign self-host) = a triple nobody in the field has. Keep all three pure.
The honest gaps (where to invest — see the backlog)
- Omnichannel (web-only; score 2) — WhatsApp + email are the #1 product gap.
- Multilingual breadth (3 langs vs 40–90; score 3) — auto-detect + more langs = cheap credibility win (i18n substrate now in place).
- FGA/ReBAC (score 1) — adopt Ory Keto (Zanzibar, Apache-2.0, self-hostable) as a side-car; keep our HS256 issuance.
- Integration marketplace / public API (score 2.5) — a public API + a few first-class integrations (CRM/Shopify).
- Compliance certifications — we have the posture (EU-sovereign, RLS, IDOR closed, GDPR); the SOC2/ISO paper is the enterprise unlock.
- Conversational-model differentiation — we orchestrate frontier LLMs; incumbents post-train their own (a deliberate, defensible choice — not necessarily a gap).
Honest scorecard (means): Product ≈ 3.4/5 (4.5 on the differentiator), Backend ≈ 3.7/5, Auth ≈ 3.3/5 — with two structural 5/5 moats the field lacks. The path to 4+ is omnichannel + multilingual + FGA + certs, not a rebuild.
What's already more SOTA than the matrix implied (backend audit, 2026-06-21)
Auditing before building found the backend security foundation already strong: per-tenant + per-visitor rate limiting (Redis cluster-shared), OTel W3C trace-context propagation wired across services, security headers + CORS + dashboard CSP/HSTS fleet-wide. The session closed the one real rate-limit gap (per-IP on public login/signup). Detail in openalice/docs/backend-sota-security-backlog-2026-06-21.md.