48bf5d8aa0
EDITION SYSTEM (Community/Commercial): - Add edition/ package with build-time separation - Community: No telemetry, local logging only, AGPL - Commercial: Centralized alerting to clavitor.ai, managed POPs - Build: go build ./cmd/clavitor/ (community) or -tags commercial SECURITY FIXES (Issues 1-24): 1. L3 field protection in batch import - agents can't overwrite tier 3 2. FQDN lookup caching - 5min TTL prevents DNS DoS 3. IP whitelist race documented and accepted 4. Admin token consumption - accepted UX limitation 5. Type guard now returns 403 (not silent skip) 6. Agents blocked entirely from batch import 7. IP whitelist DB errors return 500 + telemetry 8. L3 protection in upsert 9. DeleteEntry scope check added 10. CreateEntry scope validation for agents 11. SearchEntries audit logging 13. CSP tightened - removed unused tailwind, img-src restricted 15. Backup path validation (isValidVaultName) 17. Request body size limit - 64KB max, binary content blocked 18. WebAuthn auth challenge verification 19. RestoreBackup requires admin auth 20. TOTP scope check (already existed) 21. PRF-only enforcement (no non-PRF fallbacks) 22. Empty scopes documented as quarantine feature 23. Scope format validation with operator alerts 24. DB errors surfaced via edition.AlertOperator() OPERATOR ALERTS: - edition.Current.AlertOperator() routes to local logs (community) - or POSTs to /v1/alerts (commercial) - Alerts: auth_system_error, data_corruption NEW DOCUMENTATION: - edition/CLAUDE.md - full edition system docs - GIT_WORKFLOW.md - Zurich-only Git policy |
||
|---|---|---|
| .. | ||
| clavis-android | ||
| clavis-chrome | ||
| clavis-cli | ||
| clavis-crypto | ||
| clavis-firefox | ||
| clavis-ios | ||
| clavis-safari | ||
| clavis-vault | ||
| .DS_Store | ||
| ._.DS_Store | ||
| Makefile | ||
| README.md | ||
README.md
Clavis
Secure vault platform with multi-client support.
Architecture
Clavis is the vault server. Everything else is a client that talks to it.
Structure
Active Development
| Directory | Purpose | Status |
|---|---|---|
clavis-vault/ |
Vault server with embedded UI (Go, FIPS 140-3) | Active |
clavis-crypto/ |
JavaScript crypto layer | Active |
clavis-cli/ |
CLI for agents | Active |
clavis-chrome/ |
Chrome browser extension | Active |
Planned
| Directory | Purpose | Status |
|---|---|---|
clavis-firefox/ |
Firefox browser extension | Announced |
clavis-safari/ |
Safari browser extension | Announced |
clavis-ios/ |
iOS native app | Announced |
clavis-android/ |
Android native app | Announced |
Build
make deploy # Build + test + restart everything
make deploy-vault # Build + test + restart vault only
make deploy-web # Build + restart website only
make status # Check running processes
make logs-vault # Tail vault logs
make logs-web # Tail web logs
Clients
The vault supports multiple client types:
- Web: Built-in UI served by vault (
clavis-vault/) - CLI: Command-line tool for automation/agents (
clavis-cli/) - Browser Extension: Auto-fill and TOTP in Chrome (
clavis-chrome/) - Mobile: Native iOS/Android apps (planned)
Security
- FIPS 140-3 validated crypto (BoringCrypto via GOEXPERIMENT)
- Zero-knowledge architecture
- Vault server is the single source of truth
License
Proprietary — © Clavitor