48bf5d8aa0
EDITION SYSTEM (Community/Commercial): - Add edition/ package with build-time separation - Community: No telemetry, local logging only, AGPL - Commercial: Centralized alerting to clavitor.ai, managed POPs - Build: go build ./cmd/clavitor/ (community) or -tags commercial SECURITY FIXES (Issues 1-24): 1. L3 field protection in batch import - agents can't overwrite tier 3 2. FQDN lookup caching - 5min TTL prevents DNS DoS 3. IP whitelist race documented and accepted 4. Admin token consumption - accepted UX limitation 5. Type guard now returns 403 (not silent skip) 6. Agents blocked entirely from batch import 7. IP whitelist DB errors return 500 + telemetry 8. L3 protection in upsert 9. DeleteEntry scope check added 10. CreateEntry scope validation for agents 11. SearchEntries audit logging 13. CSP tightened - removed unused tailwind, img-src restricted 15. Backup path validation (isValidVaultName) 17. Request body size limit - 64KB max, binary content blocked 18. WebAuthn auth challenge verification 19. RestoreBackup requires admin auth 20. TOTP scope check (already existed) 21. PRF-only enforcement (no non-PRF fallbacks) 22. Empty scopes documented as quarantine feature 23. Scope format validation with operator alerts 24. DB errors surfaced via edition.AlertOperator() OPERATOR ALERTS: - edition.Current.AlertOperator() routes to local logs (community) - or POSTs to /v1/alerts (commercial) - Alerts: auth_system_error, data_corruption NEW DOCUMENTATION: - edition/CLAUDE.md - full edition system docs - GIT_WORKFLOW.md - Zurich-only Git policy |
||
|---|---|---|
| clavis | ||
| clavitor.ai | ||
| clavitor.com | ||
| design-system | ||
| docs | ||
| marketing | ||
| operations | ||
| .DS_Store | ||
| ._.DS_Store | ||
| CLAUDE.md | ||