a2cfff8ec2
Replication now fully functional for Commercial Edition: Authentication: - Uses existing vault L0/L1 credentials (same as vault access) - L0 in X-Clavitor-L0 header (vault ID) - L1 in X-Clavitor-L1 header (vault encryption key) - Validated by opening vault DB with L1 - Anti-replay: 5-minute timestamp window Architecture: - Primary-only POPs: No config file needed - Replication POPs (Calgary/Zurich): Config in /etc/clavitor/replication.yaml - Config has replication.peers list (can be empty for primary-only) - Event-driven: SignalReplication() on every write Files added: - api/replication.go: HTTP handler for incoming replication - api/routes_commercial.go: Commercial-only route registration - api/routes_community.go: Community stub - lib/auth.go: ValidateL0L1() for vault credential validation - lib/base64.go: Base64URLEncode/Base64URLDecode helpers Files modified: - edition/config.go: New config structure with peers list - edition/edition.go: ReplicationConfig struct with peers - edition/replication.go: Replicate to all peers, use new config - edition/backup_mode.go: Removed env var, config-based - cmd/clavitor/main.go: Load config, nil config = primary-only - api/routes.go: Call registerCommercialRoutes() Security: - L0/L1 auth prevents unauthorized replication - Timestamp window prevents replay attacks - Audit alerts on auth failures and rejections |
||
|---|---|---|
| .. | ||
| CLAUDE.md | ||
| backup_mode.go | ||
| commercial.go | ||
| community.go | ||
| config.go | ||
| config_community.go | ||
| edition.go | ||
| replication.go | ||