johan
/
clavitor
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clavitor/clavis
History
James a2cfff8ec2 Complete replication implementation with L0/L1 auth (Commercial Only) 
Replication now fully functional for Commercial Edition:

Authentication:
- Uses existing vault L0/L1 credentials (same as vault access)
- L0 in X-Clavitor-L0 header (vault ID)
- L1 in X-Clavitor-L1 header (vault encryption key)
- Validated by opening vault DB with L1
- Anti-replay: 5-minute timestamp window

Architecture:
- Primary-only POPs: No config file needed
- Replication POPs (Calgary/Zurich): Config in /etc/clavitor/replication.yaml
- Config has replication.peers list (can be empty for primary-only)
- Event-driven: SignalReplication() on every write

Files added:
- api/replication.go: HTTP handler for incoming replication
- api/routes_commercial.go: Commercial-only route registration
- api/routes_community.go: Community stub
- lib/auth.go: ValidateL0L1() for vault credential validation
- lib/base64.go: Base64URLEncode/Base64URLDecode helpers

Files modified:
- edition/config.go: New config structure with peers list
- edition/edition.go: ReplicationConfig struct with peers
- edition/replication.go: Replicate to all peers, use new config
- edition/backup_mode.go: Removed env var, config-based
- cmd/clavitor/main.go: Load config, nil config = primary-only
- api/routes.go: Call registerCommercialRoutes()

Security:
- L0/L1 auth prevents unauthorized replication
- Timestamp window prevents replay attacks
- Audit alerts on auth failures and rejections
 		2026-04-02 01:21:20 -04:00
..
clavis-android chore: auto-commit uncommitted changes 2026-03-25 06:04:04 -04:00
clavis-chrome chore: auto-commit uncommitted changes 2026-03-26 00:01:24 -04:00
clavis-cli Replication v2: Active-Passive with Async Sync (Commercial Only) 2026-04-02 00:50:20 -04:00
clavis-crypto chore: auto-commit uncommitted changes 2026-03-25 06:04:04 -04:00
clavis-firefox chore: auto-commit uncommitted changes 2026-03-25 06:04:04 -04:00
clavis-ios chore: auto-commit uncommitted changes 2026-03-25 06:04:04 -04:00
clavis-safari chore: auto-commit uncommitted changes 2026-03-25 06:04:04 -04:00
clavis-vault Complete replication implementation with L0/L1 auth (Commercial Only) 2026-04-02 01:21:20 -04:00
.DS_Store chore: auto-commit uncommitted changes 2026-03-26 00:01:24 -04:00
._.DS_Store chore: auto-commit uncommitted changes 2026-03-25 06:04:04 -04:00
Makefile rebrand: rename vault1984 references to clavitor in Makefile and pop-sync (C-005) 2026-03-29 07:16:12 -04:00
README.md chore: auto-commit uncommitted changes 2026-03-25 06:04:04 -04:00

README.md

Clavis

Secure vault platform with multi-client support.

Architecture

Clavis is the vault server. Everything else is a client that talks to it.

Structure

Active Development

Directory Purpose Status
clavis-vault/ Vault server with embedded UI (Go, FIPS 140-3) Active
clavis-crypto/ JavaScript crypto layer Active
clavis-cli/ CLI for agents Active
clavis-chrome/ Chrome browser extension Active

Planned

Directory Purpose Status
clavis-firefox/ Firefox browser extension Announced
clavis-safari/ Safari browser extension Announced
clavis-ios/ iOS native app Announced
clavis-android/ Android native app Announced

Build

make deploy            # Build + test + restart everything
make deploy-vault      # Build + test + restart vault only
make deploy-web        # Build + restart website only
make status            # Check running processes
make logs-vault        # Tail vault logs
make logs-web          # Tail web logs

Clients

The vault supports multiple client types:

  • Web: Built-in UI served by vault (clavis-vault/)
  • CLI: Command-line tool for automation/agents (clavis-cli/)
  • Browser Extension: Auto-fill and TOTP in Chrome (clavis-chrome/)
  • Mobile: Native iOS/Android apps (planned)

Security

  • FIPS 140-3 validated crypto (BoringCrypto via GOEXPERIMENT)
  • Zero-knowledge architecture
  • Vault server is the single source of truth

License

Proprietary — © Clavitor