johan
/
clavitor
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clavitor/docs/SESSION-2026-02-28.md

7.5 KiB
Raw Blame History

Session Notes — 2026-02-28 (Afternoon)

Full session recap. Nothing should be lost.

What We Built: Clavitor

The gap: Bitwarden shipped an MCP server — all-or-nothing. No field-level AI visibility, no two-tier encryption. Nothing in the space does this correctly.

What we built in one afternoon:

  • One Go binary, one SQLite file, port 1984 (Orwell — intentional)
  • Git: git@zurich.inou.com:clavitor.git
  • Local: /home/johan/dev/clavitor/
  • Running: http://192.168.1.16:1984

Core Architecture Decisions

Entry Model

No separate tables. Everything is an entry with free-form fields.

{"label":"CVV","value":"1234","kind":"password","l2":true,"section":"Card Details"}

Type is just a UI hint — never constrains data. "Shoe size" entry is valid.

Two-Tier Encryption

  • L1 — Server key (VAULT_KEY env var). AI (James) can read. API keys, SSH, TOTP, everything not explicitly marked private.
  • L2 — Client-side only. WebAuthn PRF (Touch ID / Face ID / YubiKey / Google Titan Key). Key NEVER touches server. Even with full shell access, L2 fields are opaque ciphertext.

The EA Analogy (Johan's insight)

"My EA would have access to my company files; not to my drawer with my private stuff. I would have a different key and keep it on me."

This is the product. Not "AI has access to everything." Not "AI has access to nothing." Smart access, per field, cryptographically enforced.

Why email OTP fallback for L2 is WRONG

Johan killed this idea immediately. If email can unlock L2, anyone who compromises email gets the private drawer. And James has access to email. Back to square one.

Correct fallback: Register multiple WebAuthn authenticators (Touch ID + Titan Key). Printed BIP39 mnemonic as last resort. No digital fallback.

Import Architecture

  • Chrome CSV, Firefox CSV, Bitwarden JSON, Proton Pass JSON → direct Go parsers (instant, free, handles 12k+ entries)
  • Unknown format → LLM in parallel chunks of 100 rows, max 4 concurrent calls (Fireworks, zero retention)
  • Collision resolution: newest modification date wins (Firefox timePasswordChanged, Proton modifyTime, Bitwarden revisionDate). Chrome has no timestamps → existing vault wins.
  • Preview before confirm: 🟢 New / 🔄 Update / Duplicate

Port 1984

"My password manager runs on 1984." — Orwell. Because someone has to watch the watchers.

Features Built

  • Entry CRUD with L1 crypto (AES-256-GCM + zstd, HKDF per-entry keys)
  • TOTP generation (RFC 6238 compliant, L1 = AI-accessible, L2 = client-only)
  • Password generator (random + passphrase words=N)
  • Import (Chrome/Firefox/Bitwarden/Proton native parsers + LLM fallback)
  • Dedup with date-based collision resolution
  • Audit log (every read/write/AI access logged with actor)
  • URL matching for browser extension
  • MCP endpoint (JSON-RPC 2.0)
  • Browser extension scaffold (Manifest V3)
  • Web UI (navy/dark theme, Tailwind CDN, vanilla JS)

Bugs Found & Fixed (from test suite)

  1. L2 fields leaked plaintext to web API — fixed: stripped for web + MCP actors
  2. words=4 ignored — fixed: parse as integer, pass to generatePassphrase(N)
  3. ?q= on /api/entries ignored — fixed: delegates to /api/search

Day 2 Priorities

  1. WebAuthn PRF — client-side L2 key derivation in browser
  2. L2 field client-side encrypt/decrypt — browser Web Crypto API
  3. Extension autofill — LLM field mapping → fill (DOM snapshot → LLM → fill)
  4. Scoped MCP tokens — per-agent credential scoping (see below)
  5. MCP token management UI

Scoped Tokens (Multi-Agent Feature — KEY PRIORITY)

type Token struct {
    Label     string   // "Agent: Social Media"
    Tags      []string // only return entries with these tags
    EntryIDs  []string // or whitelist specific entries
    ReadOnly  bool
    ExpiresAt int64
}

Why this matters: Alex Finn is running 10+ OpenClaw agents 24/7. Each agent needs different credentials. One compromised agent shouldn't expose everything. Clavitor with scoped tokens is the only solution for this use case.

Go-To-Market Strategy

Target: Alex Finn (@AlexFinn)

  • Power user, building massive multi-agent swarm (3x Mac Studio, DGX Spark, 10+ agents)
  • DO NOT just tag him — he uses bots for everything, bots won't see a mention
  • Make content his bots surface: write posts using keywords his agents scan for
    • OpenClaw, MCP, credentials, multi-agent, swarm, autonomous, agent security
  • Discord is his primary community now (subagent searching for his server)
  • James needs Discord presence — ask Johan for Discord account/token
  • Strategy: join community, contribute genuinely, let Clavitor come up naturally
  • Hook for Alex specifically: "10 agents, each scoped to exactly what it needs"

Announcement Assets Ready

  • docs/README.md — full project readme
  • docs/X-ANNOUNCEMENT.md — 3 options + full 6-tweet thread
  • docs/KILLER-FEATURES.md — 14 features across 3 tiers
  • docs/RESEARCH.md — Chrome extension complaints, CC/Codex MCP config, community channels

OpenClaw Community

Plain CC/Codex/Cursor Integration

// ~/.claude/mcp.json
{
  "mcpServers": {
    "clavitor": {
      "url": "http://localhost:1984/mcp",
      "headers": {"Authorization": "Bearer YOUR_MCP_TOKEN"}
    }
  }
}

Side Notes from Session

Taalas / ChatJimmy (chatjimmy.ai)

Toronto startup, emerged from stealth last week. HC1 chip: Llama 3.1 8B hard-coded into silicon. 17,000 tok/s per user. $30M spent of $200M funding. Model wrong on the boxes puzzle but got there fast. Watch HC2 (70B) — when they scale the architecture, it changes the economics of inference entirely.

NullClaw (Zig)

678KB binary, ~1MB RAM, boots in 2ms. 45,000 lines of Zig. Cool tech, not production-ready (Zig pre-1.0). "Same functionality" claim needs benchmarks. The vtable architecture is genuinely interesting.

Azure Backup Project

Abandoned. Local folder renamed to azure-backup-abandoned-20260228. Remote git repo deleted from Zurich.

Pending

  • AlexFinn Discord server — subagent searching
  • James Discord account/token — ask Johan
  • Scoped MCP tokens — implement (Day 2)
  • WebAuthn PRF — implement (Day 2)
  • Caddy proxy for clavitor (give it a domain)
  • Systemd service for clavitor on forge
  • Permanent VAULT_KEY (currently ephemeral on each restart)
  • Import the actual 12,623 entries from Johan's browsers + Proton

AlexFinn Discord — Research Results

Server: "1% Club" Invite: https://discord.gg/1percentbetter (may have expired — gated behind paid subscription) Access: Paid — requires 1% Club subscription at alexfinn.ai

Community focus (Feb 2026):

  • OpenClaw agent setups and multi-agent workflows
  • Discord as agent coordination surface (Alex posted a popular video on OpenClaw+Discord)
  • Vibe coding / Claude Code / Codex
  • AI-powered SaaS, autonomous businesses

Why this audience is perfect for Clavitor:

  • Paid, engaged, AI-forward
  • Actively running multi-agent OpenClaw setups
  • The credential scoping problem is REAL for them

Path in:

  1. Subscribe to 1% Club at alexfinn.ai → Discord access → participate genuinely
  2. Or: DM Alex directly on X with the multi-agent angle

Note: Alex's YouTube is @AlexFinnOfficial — described as "#1 vibe coding channel on YouTube"