Replication is a COMMERCIAL-ONLY feature:
- Community Edition: No replication functionality (privacy-first, single-node)
- Commercial Edition: Real-time sync to backup POPs (Calgary/Zurich)
Changes:
- edition/replication.go: Commercial-only replication implementation stub
- edition/edition.go: Add ReplicationConfig and StartReplication stub
- edition/commercial.go: Wire up replication, use globalConfig
- edition/community.go: No-op StartReplication stub
- edition/CLAUDE.md: Document replication as commercial-only
- cmd/clavitor/main.go: Add replication flags (replication-*)
- replication-primary, replication-backup, replication-token
- Warning if used in Community Edition
Security:
- Replication requires inter-POP auth token
- 30-second poll interval, batch up to 100 entries
- Automatic retry with backoff
Note: Full implementation TBD - this is the infrastructure scaffolding.
The actual replicationBatch() logic needs to be implemented for production.
Complete vault rewrite with correct foundation:
- CVT encrypted envelope tokens (type 0x00 wire, type 0x01 client credential)
- Agents and scopes stored as L1-encrypted entries (no separate tables)
- Scope-based access control with AgentCanAccess() set intersection
- Owner-only admin enforcement (agents cannot manage agents/scopes)
- 14 password manager importers (Proton, Bitwarden, 1Password, LastPass,
Dashlane, KeePass, KeePassXC, NordPass, Keeper, RoboForm, Enpass,
Safari/iCloud, Chrome, Firefox)
- FIELD_SPEC single source of truth for field kind and tier
- L2/L3 client-side encryption on import (PRF required)
- Domain classification service on clavitor.ai/classify
- Scope auto-assignment during import (13 categories)
- Light theme default (Figtree font, matching clavitor.ai branding)
- Unified page shell across all screens (topbar on every page)
- Batch import with progress indicator
- ZIP extraction for Proton Pass exports
- Proton dedup by title+user+url
- 55 tests passing (26 API + 29 lib)
- Key leak detection tests (L1/L2/L3 never in responses)
- CLI updated for CVT token format
- Old code archived in _old/
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- POPs map on /hosted now generated from clavitor.db (28 POPs, 8 live)
- Added /glass (looking glass with client-side latency)
- Added /noc?pin=250365 (NOC dashboard with telemetry)
- Added POST /telemetry endpoint for POP agent heartbeats
- Encryption terminology: Vault/Credential/Identity (no more sealed/agent/L1-L3)
- License: MIT → Elastic License 2.0
- Capitalize Clavitor in all prose
- MCP references → CLI (agents use CLI, not MCP)
- GitHub links disabled (project not public yet)
- New favicon (black square logo) + apple-touch-icon
- Darker worldmap land/borders
- Added CLAUDE.md
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Security fix: Changed from 0.0.0.0 (all interfaces) to 127.0.0.1 (localhost only)
Files modified:
- design-system/server.go
- design-system/server-temp.go
Before: http.ListenAndServe(0.0.0.0:8888, ...) - exposed on LAN/WAN
After: http.ListenAndServe(127.0.0.1:8888, ...) - localhost only
Note: server-temp.go has 60-minute auto-shutdown. Dev server was not running
at time of fix (likely auto-shut or manually killed).
James