What would need to change for you to feel that's not the case?

The open source version is fully functional and can definitely scale beyond toy projects. You don't get high availability, multi-instance clustering, auto-scaling, multi-region failover etc. built in, but if you put it on a beefy host it can easily handle a large number of users and a very high request rate.

The way I think of it is we give you the fully functional server, but charge for advanced infrastructure and a few advanced features (SSO/Teams).

It's comparable to the open source version of a tool like Vault where you get the server, but need to implement advanced stuff like HA, auto-scaling, networking, etc. yourself, or else use a paid version.

I would consider HA/clustering/auto-scaling to be table stakes for something as mission critical as secrets management.

As far as I can see, this is fully available in the open-source version of Vault: https://learn.hashicorp.com/tutorials/vault/ha-with-consul

Even though I would personally choose to use the hosted version, I still consider the availability of an open-source solution to be a great hedge against vendor lock-in/failure.

This is only true if I can be confident that I can replicate the hosted setup with the open-source version if I invested the necessary resources. Otherwise, the existence of an open-source option adds little value. In fact it can turn me off from a product since it'd seem like they're using open source as a marketing hook with no real intention of empowering users to be able to actually move off their hosted platforms.

We could potentially enable clustering for the Open Source version. One of the reasons it isn't already is that our clustering implementation is currently AWS-specific, since it relies on the AWS metadata endpoint to look up a host's internal IP, as well as networking rules that allow hosts to talk to each other.

This is why Vault requires another piece like Consul (plus a whole lot of tricky infra/networking work) to achieve HA.

That said, we could allow users of the Open Source version to specify a url via an env var to look up a host's internal IP so that clustering would work.

Auto-scaling is provider-specific though, so I don't see how that could be baked in. Same with secure networking.

I'll also just say that while we do want the open source version to be fully functional (if a bit more DIY), another motivation for us that I see as equally important for a security product is transparency.

While it's inarguably crucial for any clients implementing end-to-end encryption to be open source, I think there's a lot of value in open sourcing the server as well (regardless of how practical it is to actually run) so that users can know what's happening on the server-side, see that the code is high quality and tested, and so on.