9860a679d4
Update all CLAUDE.md files to reference CLAVITOR-AGENT-HANDBOOK.md
...
Updated 13 CLAUDE.md files across all subprojects:
- Root CLAUDE.md → Section I (Culture)
- clavis-vault/CLAUDE.md → Section V: clavis-vault (Sarah)
- clavis-cli/CLAUDE.md → Section V: clavis-cli (Charles)
- clavis-chrome/firefox/safari/CLAUDE.md → Section V: Browser extensions (James)
- clavis-crypto/CLAUDE.md → Section V: clavis-crypto (Maria)
- clavis-ios/android/CLAUDE.md → Section V: Mobile (James)
- clavis-telemetry/CLAUDE.md → Section V: clavis-telemetry (Hans)
- clavitor.ai/CLAUDE.md → Section V: clavitor.ai/admin (Emma)
- clavitor.ai/admin/CLAUDE.md → Section V: clavitor.ai/admin (Emma)
- clavis-vault/edition/CLAUDE.md → Section V: clavis-vault (Sarah)
All references now point to the 5-section handbook structure.
2026-04-08 15:24:51 -04:00
5cf089a58e
Multi-project update: import system, edition system, web UI, CLI, website, POP sync
...
Vault: importer refactor with mapping-driven parsers, auth.js login flow,
edition system enhancements (commercial features), agent UI fixes,
mTLS improvements, schema and handler updates.
CLI: cvt protocol updates, keystore changes, JS bridge additions.
Website (clavitor.ai): expanded main.go with new routes/templates,
admin panel with Paddle checkout and credentials API.
POP sync: mTLS CA support, command examples.
Marketing: pricing architecture doc.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 06:40:40 -04:00
53b2770465
Commercial-only replication infrastructure
...
Replication is a COMMERCIAL-ONLY feature:
- Community Edition: No replication functionality (privacy-first, single-node)
- Commercial Edition: Real-time sync to backup POPs (Calgary/Zurich)
Changes:
- edition/replication.go: Commercial-only replication implementation stub
- edition/edition.go: Add ReplicationConfig and StartReplication stub
- edition/commercial.go: Wire up replication, use globalConfig
- edition/community.go: No-op StartReplication stub
- edition/CLAUDE.md: Document replication as commercial-only
- cmd/clavitor/main.go: Add replication flags (replication-*)
- replication-primary, replication-backup, replication-token
- Warning if used in Community Edition
Security:
- Replication requires inter-POP auth token
- 30-second poll interval, batch up to 100 entries
- Automatic retry with backoff
Note: Full implementation TBD - this is the infrastructure scaffolding.
The actual replicationBatch() logic needs to be implemented for production.
2026-04-02 00:42:40 -04:00
48bf5d8aa0
Security hardening v2: Edition system + 24 security fixes
...
EDITION SYSTEM (Community/Commercial):
- Add edition/ package with build-time separation
- Community: No telemetry, local logging only, AGPL
- Commercial: Centralized alerting to clavitor.ai, managed POPs
- Build: go build ./cmd/clavitor/ (community) or -tags commercial
SECURITY FIXES (Issues 1-24):
1. L3 field protection in batch import - agents can't overwrite tier 3
2. FQDN lookup caching - 5min TTL prevents DNS DoS
3. IP whitelist race documented and accepted
4. Admin token consumption - accepted UX limitation
5. Type guard now returns 403 (not silent skip)
6. Agents blocked entirely from batch import
7. IP whitelist DB errors return 500 + telemetry
8. L3 protection in upsert
9. DeleteEntry scope check added
10. CreateEntry scope validation for agents
11. SearchEntries audit logging
13. CSP tightened - removed unused tailwind, img-src restricted
15. Backup path validation (isValidVaultName)
17. Request body size limit - 64KB max, binary content blocked
18. WebAuthn auth challenge verification
19. RestoreBackup requires admin auth
20. TOTP scope check (already existed)
21. PRF-only enforcement (no non-PRF fallbacks)
22. Empty scopes documented as quarantine feature
23. Scope format validation with operator alerts
24. DB errors surfaced via edition.AlertOperator()
OPERATOR ALERTS:
- edition.Current.AlertOperator() routes to local logs (community)
- or POSTs to /v1/alerts (commercial)
- Alerts: auth_system_error, data_corruption
NEW DOCUMENTATION:
- edition/CLAUDE.md - full edition system docs
- GIT_WORKFLOW.md - Zurich-only Git policy
2026-04-02 00:36:31 -04:00
James