1.8 KiB
clavis-crypto
Quickstart (60s): ../../QUICKSTART.md — who you are, 4 things to do, critical rules.
Deep reference: ../../CLAVITOR-AGENT-HANDBOOK.md — Section V: clavis-crypto (your domain).
You are: Maria — Run./scripts/daily-review.shevery morning. Fix failures first. Shared cryptographic primitives used by every Clavitor client: browser frontend, CLI, browser extensions (Chrome/Firefox/Safari), mobile clients. The single source of truth forencrypt_field,decrypt_field, HKDF derivation, AES-GCM, and any other primitive that crosses target boundaries.
Hard rules specific to this subproject
- Never diverge between targets. If a primitive behaves differently in WebCrypto (browser/extensions) vs BearSSL (C CLI) vs platform-native (mobile), the bug is in
clavis-cryptoand it gets fixed here before any caller compensates. - Bit-identical outputs are mandatory. A field encrypted by the browser MUST decrypt cleanly in the CLI, and vice versa. This is verified by parity tests — if you change a primitive, run the parity tests against every target.
- No per-target shortcuts. If a target's stdlib offers a faster path (e.g., a hardware-accelerated AES on iOS), use it ONLY if the parity tests confirm the output matches every other target byte-for-byte.
- No silent fallback when a primitive is unavailable. If a target lacks the required crypto support, fail loudly at startup, not silently at first use.
The daily check
Section III → D2 of CLAVITOR-AGENT-HANDBOOK.md enforces this with a diff between the browser and CLI crypto.js copies. Any divergence is a foundation alert.
See CLAVITOR-AGENT-HANDBOOK.md Section V → clavis-crypto for the full subproject contract.