chore: auto-commit uncommitted changes

clovis/Makefile

@@ -0,0 +1,96 @@
+# Clovis — build pipeline
+# FIPS 140-3: BoringCrypto via GOEXPERIMENT=boringcrypto
+# Requires Go 1.24+ (verified: go1.24.0)
+#
+# Usage:
+#   make deploy            — build + test + restart vault
+#   make deploy-vault      — build + test + restart vault only
+#   make cli               — build CLI binary
+#   make status            — check what's running
+
+GOEXPERIMENT := boringcrypto
+export GOEXPERIMENT
+
+VAULT_DIR   := clovis-vault
+CLI_DIR     := clovis-cli
+CRYPTO_DIR  := clovis-crypto
+
+VAULT_BIN   := $(VAULT_DIR)/clavitor
+CLI_BIN     := $(CLI_DIR)/clovis-cli
+
+VAULT_ENTRY := ./cmd/clavitor
+
+LDFLAGS     := -s -w
+GOFLAGS     := -trimpath
+
+.PHONY: all vault cli test clean deploy deploy-vault \
+        restart restart-vault stop stop-vault status verify-fips
+
+# --- build ---
+
+all: vault cli
+
+vault:
+	cp $(CRYPTO_DIR)/*.js $(VAULT_DIR)/cmd/vault1984/web/ 2>/dev/null || true
+	sed -i 's/__BUILD_TIME__/$(shell date -u +%Y%m%d-%H%M%S)/' $(VAULT_DIR)/cmd/vault1984/web/index.html 2>/dev/null || true
+	cd $(VAULT_DIR) && go build $(GOFLAGS) -ldflags '$(LDFLAGS)' -o clavitor $(VAULT_ENTRY)
+	@echo "built $(VAULT_BIN) (FIPS)"
+
+cli:
+	$(MAKE) -C $(CLI_DIR)
+	@strip $(CLI_BIN) 2>/dev/null || true
+	@echo "built $(CLI_BIN) ($$(wc -c < $(CLI_BIN)) bytes, stripped)"
+
+# --- test ---
+
+test:
+	cd $(VAULT_DIR) && go test ./api/... -v
+
+# --- deploy ---
+
+deploy: vault cli test verify-fips restart-vault
+	@echo "--- deployed ---"
+
+deploy-vault: vault test verify-fips restart-vault
+	@echo "--- vault deployed ---"
+
+# --- verify ---
+
+verify-fips: verify-fips-vault
+
+verify-fips-vault:
+	@go version -m $(VAULT_BIN) | grep -q 'GOEXPERIMENT=boringcrypto' && echo "vault: FIPS 140-3 (BoringCrypto) ✓" || { echo "vault: BoringCrypto NOT linked ✗"; exit 1; }
+
+# --- process management ---
+
+stop-vault:
+	@pkill -f './clavitor$$' 2>/dev/null || pkill -f 'clovis-vault/clavitor$$' 2>/dev/null || true
+	@sleep 0.5
+
+stop: stop-vault
+
+restart-vault: stop-vault
+	cd $(VAULT_DIR) && set -a && . ./.env && set +a && nohup ./clavitor > /tmp/clovis-vault.log 2>&1 &
+	@sleep 1
+	@ss -tlnp | grep -q ':1984' && echo "vault running on :1984 ✓" || { echo "vault failed to start ✗"; cat /tmp/clovis-vault.log; exit 1; }
+
+restart: restart-vault
+
+status:
+	@echo "--- processes ---"
+	@ps aux | grep -E '(clavitor|clovis)' | grep -v grep || echo "nothing running"
+	@echo "--- ports ---"
+	@ss -tlnp | grep -E ':1984' || echo "no vault port open"
+	@echo "--- fips ---"
+	@go version -m $(VAULT_BIN) 2>/dev/null | grep -q 'GOEXPERIMENT=boringcrypto' && echo "vault: FIPS ✓" || echo "vault: not built or no FIPS"
+
+# --- logs ---
+
+logs-vault:
+	@tail -f /tmp/clovis-vault.log
+
+# --- clean ---
+
+clean:
+	rm -f $(VAULT_BIN)
+	-$(MAKE) -C $(CLI_DIR) clean 2>/dev/null || true

clovis/README.md

@@ -0,0 +1,54 @@
+# Clovis
+
+Secure vault platform with multi-client support.
+
+## Architecture
+
+**Clovis is the vault server.** Everything else is a client that talks to it.
+
+## Structure
+
+### Active Development
+| Directory | Purpose | Status |
+|-----------|---------|--------|
+| `clovis-vault/` | Vault server with embedded UI (Go, FIPS 140-3) | **Active** |
+| `clovis-crypto/` | JavaScript crypto layer | **Active** |
+| `clovis-cli/` | CLI for agents | **Active** |
+| `clovis-chrome/` | Chrome browser extension | **Active** |
+
+### Planned
+| Directory | Purpose | Status |
+|-----------|---------|--------|
+| `clovis-firefox/` | Firefox browser extension | Announced |
+| `clovis-safari/` | Safari browser extension | Announced |
+| `clovis-ios/` | iOS native app | Announced |
+| `clovis-android/` | Android native app | Announced |
+
+## Build
+
+```bash
+make deploy            # Build + test + restart everything
+make deploy-vault      # Build + test + restart vault only
+make deploy-web        # Build + restart website only
+make status            # Check running processes
+make logs-vault        # Tail vault logs
+make logs-web          # Tail web logs
+```
+
+## Clients
+
+The vault supports multiple client types:
+- **Web**: Built-in UI served by vault (`clovis-vault/`)
+- **CLI**: Command-line tool for automation/agents (`clovis-cli/`)
+- **Browser Extension**: Auto-fill and TOTP in Chrome (`clovis-chrome/`)
+- **Mobile**: Native iOS/Android apps (planned)
+
+## Security
+
+- FIPS 140-3 validated crypto (BoringCrypto via GOEXPERIMENT)
+- Zero-knowledge architecture
+- Vault server is the single source of truth
+
+## License
+
+Proprietary — © Clavitor

clovis/clovis-android/README.md

@@ -0,0 +1,10 @@
+# Clovis Android
+
+Android application for Clovis vault.
+
+**Status:** Planned, not yet implemented.
+
+Will require native Kotlin development for:
+- Autofill Framework integration
+- Android Keystore access
+- TOTP generation

clovis/clovis-chrome/README.md

@@ -0,0 +1,5 @@
+# Clovis Chrome Extension
+
+Browser extension for Chrome.
+
+TODO: Add Chrome extension implementation.

clovis/clovis-cli/Makefile

@@ -32,7 +32,7 @@ VENDOR_DIR  := vendor
 BEARSSL_DIR := $(VENDOR_DIR)/bearssl
 QUICKJS_DIR := $(VENDOR_DIR)/quickjs
 CJSON_DIR   := $(VENDOR_DIR)/cjson
-CRYPTO_DIR  := ../crypto
+CRYPTO_DIR  := ../clovis-crypto
 
 # Output binary
 BIN := clavitor-cli

clovis/clovis-crypto/README.md

@@ -0,0 +1,5 @@
+# Clovis Crypto Layer
+
+JavaScript cryptographic primitives for Clovis clients.
+
+TODO: Add crypto implementation.

clovis/clovis-firefox/README.md

@@ -0,0 +1,7 @@
+# Clovis Firefox Extension
+
+Browser extension for Firefox.
+
+**Status:** Planned, not yet implemented.
+
+This extension will share the core logic with clovis-chrome.

clovis/clovis-ios/README.md

@@ -0,0 +1,10 @@
+# Clovis iOS
+
+iOS application for Clovis vault.
+
+**Status:** Planned, not yet implemented.
+
+Will require native Swift development for:
+- Password AutoFill integration
+- Secure Enclave/Keychain access
+- TOTP generation

clovis/clovis-safari/README.md

@@ -0,0 +1,8 @@
+# Clovis Safari Extension
+
+Browser extension for Safari.
+
+**Status:** Planned, not yet implemented.
+
+Apple's Safari extension API differs significantly from Chrome/Firefox.
+May require native app wrapper for full functionality.

clovis/clovis-vault/Makefile

@@ -4,7 +4,10 @@ REMOTE_PATH := /opt/clavitor/bin
 
 export GOFIPS140 := latest
 
-.PHONY: build deploy
+.PHONY: build deploy clean
+
+clean:
+	rm -f $(BINARY)
 
 build:
 	rm -f $(BINARY)

clovis/clovis-vault/api/tier_test.go

@@ -261,8 +261,8 @@ func TestTierIsolationDB(t *testing.T) {
 func TestCLICrypto(t *testing.T) {
 	// Find CLI binary via absolute path
 	home := os.Getenv("HOME")
-	cliBin := home + "/dev/clavitor/oss/cli/clavitor-cli"
-	cliDir := home + "/dev/clavitor/oss/cli"
+	cliBin := home + "/dev/clavitor/clovis/clovis-cli/clovis-cli"
+	cliDir := home + "/dev/clavitor/clovis/clovis-cli"
 	if _, err := os.Stat(cliBin); err != nil {
 		t.Skip("clavitor-cli not found — run 'make cli' first")
 	}

design-system/clavitor-logo.svg

@@ -0,0 +1,4 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100" width="80" height="80" role="img" aria-label="Clavitor">
+  <title>Clavitor</title>
+  <rect x="5" y="5" width="90" height="90" fill="#0A0A0A"/>
+</svg>

design-system/styleguide.html

@@ -101,10 +101,10 @@
 
     /* Logo Lockup — The Trinity */
     .logo-lockup { display: inline-flex; gap: 20px; align-items: stretch; }
-    .logo-lockup-square { width: 96px; height: 96px; background: var(--brand-black); flex-shrink: 0; }
-    .logo-lockup-text { display: flex; flex-direction: column; justify-content: space-between; height: 96px; padding: 8px 0 10px; }
+    .logo-lockup-square { width: 80px; height: 80px; background: var(--brand-black); flex-shrink: 0; }
+    .logo-lockup-text { display: flex; flex-direction: column; justify-content: space-between; height: 80px; }
     .logo-lockup-wordmark { font-family: var(--font-family); font-size: 56px; font-weight: var(--wordmark-weight); letter-spacing: var(--wordmark-spacing); text-transform: uppercase; color: var(--brand-accent); line-height: 1; }
-    .logo-lockup-tagline { font-size: 12px; font-weight: 500; color: var(--text-tertiary); letter-spacing: 0.18em; text-transform: uppercase; line-height: 1; }
+    .logo-lockup-tagline { font-size: 16px; font-weight: 500; color: var(--text-tertiary); letter-spacing: 0.22em; text-transform: uppercase; line-height: 1; margin-bottom: -2px; }
 
     /* Colors */
     .color-grid { display: grid; grid-template-columns: repeat(auto-fill, minmax(140px, 1fr)); gap: 16px; }
@@ -115,14 +115,15 @@
 
     /* Layout Patterns (from vault1984.com) */
     .max-width { max-width: 1200px; margin: 0 auto; padding: 0 24px; }
-    .grid-2-equal { display: grid; grid-template-columns: 1fr 1fr; gap: 48px; align-items: center; }
+    .grid-2-equal { display: grid; grid-template-columns: 1fr 1fr; gap: 48px; align-items: center; overflow: visible; }
     .grid-3-equal { display: grid; grid-template-columns: repeat(3, 1fr); gap: 32px; }
     .grid-4-equal { display: grid; grid-template-columns: repeat(4, 1fr); gap: 24px; text-align: center; }
     
-    .pill-row { display: flex; flex-wrap: wrap; gap: 12px; }
+    .pill-row { display: flex; flex-wrap: wrap; gap: 12px; overflow: visible; }
     .pill { 
       display: inline-flex; align-items: center; 
       height: 32px; padding: 0 16px;
+      white-space: nowrap;
       background: var(--bg-secondary); 
       border: 1px solid var(--border-default);
       border-radius: 9999px; 
@@ -240,8 +241,61 @@
         </div>
       </div>
       <p class="text-tertiary text-xs" style="margin-top: 16px;">
-        <strong>Spec:</strong> 72px black square, Figtree 700, 0.25em spacing, aligned left edge to left edge
+        <strong>Spec:</strong> Square: 80×80px #0A0A0A (Black Square) · Wordmark: Figtree 700, 56px, 0.25em, #7C3AED (Violet) · Tagline: 16px, 0.22em, uppercase, #737373 (Text Tertiary)
       </p>
+      <p style="margin-top: 12px; display: flex; gap: 24px;">
+        <a href="clavitor-logo.svg" download="clavitor-logo.svg" style="font-size: 14px; color: var(--brand-accent); font-weight: 500;">↓ Download clavitor-logo.svg</a>
+        <a href="clavitor-logo.png" download="clavitor-logo.png" style="font-size: 14px; color: var(--brand-accent); font-weight: 500;">↓ Download clavitor-logo.png (800×800)</a>
+      </p>
+    </div>
+
+    <!-- Logo Lockup — Scale Variants -->
+    <div class="section">
+      <div class="section-title">Logo Lockup — Scale Variants</div>
+
+      <p class="text-tertiary text-xs" style="margin-bottom: 16px;">200%</p>
+      <div style="transform: scale(2); transform-origin: top left; margin-bottom: 180px; display: inline-block;">
+        <div class="logo-lockup">
+          <div class="logo-lockup-square"></div>
+          <div class="logo-lockup-text">
+            <div class="logo-lockup-wordmark">CLAVITOR</div>
+            <div class="logo-lockup-tagline">Black-box credential issuance</div>
+          </div>
+        </div>
+      </div>
+
+      <p class="text-tertiary text-xs" style="margin-bottom: 16px;">150%</p>
+      <div style="transform: scale(1.5); transform-origin: top left; margin-bottom: 80px; display: inline-block;">
+        <div class="logo-lockup">
+          <div class="logo-lockup-square"></div>
+          <div class="logo-lockup-text">
+            <div class="logo-lockup-wordmark">CLAVITOR</div>
+            <div class="logo-lockup-tagline">Black-box credential issuance</div>
+          </div>
+        </div>
+      </div>
+
+      <p class="text-tertiary text-xs" style="margin-bottom: 16px;">100%</p>
+      <div style="margin-bottom: 40px; display: inline-block;">
+        <div class="logo-lockup">
+          <div class="logo-lockup-square"></div>
+          <div class="logo-lockup-text">
+            <div class="logo-lockup-wordmark">CLAVITOR</div>
+            <div class="logo-lockup-tagline">Black-box credential issuance</div>
+          </div>
+        </div>
+      </div>
+
+      <p class="text-tertiary text-xs" style="margin-bottom: 16px;">50%</p>
+      <div style="transform: scale(0.5); transform-origin: top left; margin-bottom: -20px; display: inline-block;">
+        <div class="logo-lockup">
+          <div class="logo-lockup-square"></div>
+          <div class="logo-lockup-text">
+            <div class="logo-lockup-wordmark">CLAVITOR</div>
+            <div class="logo-lockup-tagline">Black-box credential issuance</div>
+          </div>
+        </div>
+      </div>
     </div>
 
     <!-- Brand Colors -->
@@ -367,3 +421,6 @@
 </body>
 </html>
 >
+
+</html>
+>

oss/Makefile

@@ -1,119 +0,0 @@
-# clavitor — build pipeline
-# FIPS 140-3: BoringCrypto via GOEXPERIMENT=boringcrypto
-# Requires Go 1.24+ (verified: go1.24.0)
-#
-# Usage:
-#   make deploy           — build + test + restart everything
-#   make deploy-app       — build + test + restart app only
-#   make deploy-web       — build + restart website only
-#   make status           — check what's running
-
-GOEXPERIMENT := boringcrypto
-export GOEXPERIMENT
-
-APP_DIR     := app
-WEB_DIR     := website
-CLI_DIR     := cli
-APP_BIN     := $(APP_DIR)/clavitor
-WEB_BIN     := $(WEB_DIR)/clavitor-web
-CLI_BIN     := $(CLI_DIR)/clavitor-cli
-APP_ENTRY   := ./cmd/vault1984
-WEB_ENTRY   := .
-
-LDFLAGS     := -s -w
-GOFLAGS     := -trimpath
-
-.PHONY: all app website cli test clean deploy deploy-app deploy-web \
-        restart restart-app restart-web stop stop-app stop-web status verify-fips
-
-# --- build ---
-
-all: app website
-
-app:
-	cp crypto/*.js $(APP_DIR)/cmd/vault1984/web/
-	sed -i 's/__BUILD_TIME__/$(shell date -u +%Y%m%d-%H%M%S)/' $(APP_DIR)/cmd/vault1984/web/index.html
-	cd $(APP_DIR) && go build $(GOFLAGS) -ldflags '$(LDFLAGS)' -o clavitor $(APP_ENTRY)
-	@echo "built $(APP_BIN) (FIPS)"
-
-website:
-	cd $(WEB_DIR) && go build $(GOFLAGS) -ldflags '$(LDFLAGS)' -o clavitor-web $(WEB_ENTRY)
-	@echo "built $(WEB_BIN) (FIPS)"
-
-cli:
-	$(MAKE) -C $(CLI_DIR)
-	@strip $(CLI_BIN) 2>/dev/null || true
-	@echo "built $(CLI_BIN) ($$(wc -c < $(CLI_BIN)) bytes, stripped)"
-
-# --- test ---
-
-test:
-	cd $(APP_DIR) && go test ./api/... -v
-
-# --- deploy ---
-
-deploy: all test verify-fips restart
-	@echo "--- deployed ---"
-
-deploy-app: app test verify-fips-app restart-app
-	@echo "--- app deployed ---"
-
-deploy-web: website verify-fips-web restart-web
-	@echo "--- website deployed ---"
-
-# --- verify ---
-
-verify-fips: verify-fips-app verify-fips-web
-
-verify-fips-app:
-	@go version -m $(APP_BIN) | grep -q 'GOEXPERIMENT=boringcrypto' && echo "app: FIPS 140-3 (BoringCrypto) ✓" || { echo "app: BoringCrypto NOT linked ✗"; exit 1; }
-
-verify-fips-web:
-	@go version -m $(WEB_BIN) | grep -q 'GOEXPERIMENT=boringcrypto' && echo "web: FIPS 140-3 (BoringCrypto) ✓" || { echo "web: BoringCrypto NOT linked ✗"; exit 1; }
-
-# --- process management ---
-
-stop-app:
-	@pkill -f './clavitor$$' 2>/dev/null || pkill -f 'clavitor/clavitor$$' 2>/dev/null || true
-	@sleep 0.5
-
-stop-web:
-	@pkill -f 'clavitor-web$$' 2>/dev/null || true
-	@sleep 0.5
-
-stop: stop-app stop-web
-
-restart-app: stop-app
-	cd $(APP_DIR) && set -a && . ./.env && set +a && nohup ./clavitor > /tmp/clavitor.log 2>&1 &
-	@sleep 1
-	@ss -tlnp | grep -q ':1984' && echo "app running on :1984 ✓" || { echo "app failed to start ✗"; cat /tmp/clavitor.log; exit 1; }
-
-restart-web: stop-web
-	cd $(WEB_DIR) && nohup ./clavitor-web > /tmp/clavitor-web.log 2>&1 &
-	@sleep 1
-	@ss -tlnp | grep -q ':8099' && echo "website running on :8099 ✓" || { echo "website failed to start ✗"; cat /tmp/clavitor-web.log; exit 1; }
-
-restart: restart-app restart-web
-
-status:
-	@echo "--- processes ---"
-	@ps aux | grep -E 'clavitor(-web)?$$' | grep -v grep || echo "nothing running"
-	@echo "--- ports ---"
-	@ss -tlnp | grep -E ':1984|:8099' || echo "no ports open"
-	@echo "--- fips ---"
-	@go version -m $(APP_BIN) 2>/dev/null | grep -q 'GOEXPERIMENT=boringcrypto' && echo "app: FIPS ✓" || echo "app: not built or no FIPS"
-	@go version -m $(WEB_BIN) 2>/dev/null | grep -q 'GOEXPERIMENT=boringcrypto' && echo "web: FIPS ✓" || echo "web: not built or no FIPS"
-
-# --- logs ---
-
-logs-app:
-	@tail -f /tmp/clavitor.log
-
-logs-web:
-	@tail -f /tmp/clavitor-web.log
-
-# --- clean ---
-
-clean:
-	rm -f $(APP_BIN) $(WEB_BIN)
-	$(MAKE) -C $(CLI_DIR) clean