johan
/
clavitor
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clavitor/clavis
History
James fa7541bd4d Security review: Replication functionality (Commercial Only) 
Comprehensive security audit of event-driven replication.

CRITICAL issues (5):
1. Inter-POP authentication not implemented (stub TODO)
2. Backup-side request authentication missing
3. Backup mode uses env var (should be config-only)
4. No replay attack protection (need nonces + signatures)
5. Weak token validation (only checks existence, not entropy)

HIGH issues (4):
6. HTTPS cert validation concern
7. No audit logging of replication attempts
8. Cascade replication not prevented
9. Information disclosure in error messages

Status: NOT PRODUCTION READY - security TODO stubs present
 		2026-04-02 01:02:36 -04:00
..
clavis-android chore: auto-commit uncommitted changes 2026-03-25 06:04:04 -04:00
clavis-chrome chore: auto-commit uncommitted changes 2026-03-26 00:01:24 -04:00
clavis-cli Replication v2: Active-Passive with Async Sync (Commercial Only) 2026-04-02 00:50:20 -04:00
clavis-crypto chore: auto-commit uncommitted changes 2026-03-25 06:04:04 -04:00
clavis-firefox chore: auto-commit uncommitted changes 2026-03-25 06:04:04 -04:00
clavis-ios chore: auto-commit uncommitted changes 2026-03-25 06:04:04 -04:00
clavis-safari chore: auto-commit uncommitted changes 2026-03-25 06:04:04 -04:00
clavis-vault Security review: Replication functionality (Commercial Only) 2026-04-02 01:02:36 -04:00
.DS_Store chore: auto-commit uncommitted changes 2026-03-26 00:01:24 -04:00
._.DS_Store chore: auto-commit uncommitted changes 2026-03-25 06:04:04 -04:00
Makefile rebrand: rename vault1984 references to clavitor in Makefile and pop-sync (C-005) 2026-03-29 07:16:12 -04:00
README.md chore: auto-commit uncommitted changes 2026-03-25 06:04:04 -04:00

README.md

Clavis

Secure vault platform with multi-client support.

Architecture

Clavis is the vault server. Everything else is a client that talks to it.

Structure

Active Development

Directory Purpose Status
clavis-vault/ Vault server with embedded UI (Go, FIPS 140-3) Active
clavis-crypto/ JavaScript crypto layer Active
clavis-cli/ CLI for agents Active
clavis-chrome/ Chrome browser extension Active

Planned

Directory Purpose Status
clavis-firefox/ Firefox browser extension Announced
clavis-safari/ Safari browser extension Announced
clavis-ios/ iOS native app Announced
clavis-android/ Android native app Announced

Build

make deploy            # Build + test + restart everything
make deploy-vault      # Build + test + restart vault only
make deploy-web        # Build + restart website only
make status            # Check running processes
make logs-vault        # Tail vault logs
make logs-web          # Tail web logs

Clients

The vault supports multiple client types:

  • Web: Built-in UI served by vault (clavis-vault/)
  • CLI: Command-line tool for automation/agents (clavis-cli/)
  • Browser Extension: Auto-fill and TOTP in Chrome (clavis-chrome/)
  • Mobile: Native iOS/Android apps (planned)

Security

  • FIPS 140-3 validated crypto (BoringCrypto via GOEXPERIMENT)
  • Zero-knowledge architecture
  • Vault server is the single source of truth

License

Proprietary — © Clavitor