diff --git a/CLAVITOR-PRINCIPLES.md b/CLAVITOR-PRINCIPLES.md index 4cbd8d9..15a68c4 100644 --- a/CLAVITOR-PRINCIPLES.md +++ b/CLAVITOR-PRINCIPLES.md @@ -294,6 +294,24 @@ and `P3` should appear almost nowhere in the codebase. If you find yourself using them, stop. These are browser-only concepts. Their presence outside `auth.js`, `crypto.js`, or the C CLI is a sign of architectural drift. +### Cardinal rule #3.5 — Cryptographic hygiene + +**FIPS 140-3 compliance:** All cryptographic operations must be FIPS 140-3 +validated or in the process of validation. This means: +- Use standard library crypto (Go: `crypto/` packages, C: OpenSSL FIPS module) +- No custom cryptographic primitives +- No home-grown key derivation or random number generation + +**Avoid CGO where possible:** CGO (Go's C interoperability) creates build +complexity, deployment friction, and audit surface. Prefer: +- Pure Go implementations for new code +- CGO only when FIPS mandates it (e.g., specific HSM integrations) +- The C CLI (`clavis-cli`) is the only CGO-heavy component by design + +**Compiler optimizations:** Standard `memset` or `clear()` may be optimized +away. Use `runtime.memclrNoHeapPointers` (Go) or `memset_explicit` (C11) to +ensure key material is actually cleared from memory. + ### Cardinal rule #4 — Three threats, no others The owner is not a threat — they paid for the vault, they hold the keys, @@ -1109,4 +1127,57 @@ When a stolen agent token is used from an unauthorized IP: --- +## Part 8 — Compliance & Data Governance + +### Data retention by customer tier + +| Data type | Paying customers | Non-paying (community) | Rationale | +|-----------|------------------|------------------------|-----------| +| Vault content | Until deletion + 30 days | Until deletion + 7 days | Business continuity vs storage costs | +| Audit logs | 7 years (SOC 2/SOX) | 90 days | Regulatory requirement vs convenience | +| Failed auth | 90 days | 30 days | Threat analysis window | +| Backups | 30 days rolling | 7 days rolling | Disaster recovery needs | +| Telemetry | 90 days | None | Commercial optimization only | + +Non-paying users accept reduced retention as a trade-off for free service. +Upgrade to commercial = full compliance coverage. + +### Cross-border transfers + +**Zurich central as anchor:** Our central infrastructure is in Zurich, Switzerland. +This addresses most compliance concerns: +- Swiss data protection (adequate under EU GDPR) +- POPs are data processing extensions, not independent controllers +- No EU→US transfer issues for European customers +- Asian customers: POPs hold encrypted WL3 only (no PII), minimal exposure + +Standard Contractual Clauses (SCCs) in place for enterprise customers who require +them. Default terms cover most use cases without additional paperwork. + +--- + +## Part 9 — Localization (i18n/l10n) + +### Status: English-first, limited localization + +**Current priority:** +- ✅ Error message codes (ERR-12345) — universal, no translation needed +- ✅ CLI output — English only (dev/ops audience) +- ✅ Web UI — English only (for now) +- ❌ RTL (Arabic/Hebrew) — not a priority for initial markets +- ❌ Full UI translation — future phase, post-product-market-fit + +### Form field detection — core feature + +Browser extension form detection is **intentionally unaddressed in this document**. +It is a core product feature that will evolve through: +- W3C `autocomplete` attribute support (universal) +- ML-based field classification (language-agnostic) +- Community contribution for locale-specific heuristics + +We do not mandate specific implementation here because rapid iteration is required. +The feature will mature separately from these architectural principles. + +--- + *Foundation First. No mediocrity. Ever.*