diff --git a/drafts/vault1984-market-research.md b/drafts/vault1984-market-research.md new file mode 100644 index 0000000..812bfdb --- /dev/null +++ b/drafts/vault1984-market-research.md @@ -0,0 +1,197 @@ +# vault1984 — Market Research +*March 2026* + +--- + +## Market Context + +The global password management market is ~$3.5B in 2026, growing at ~22% CAGR toward $10-27B by 2030-2035 (multiple analyst estimates converge on this range). Growth drivers: AI agent adoption, rising breach frequency, regulatory pressure (NIS2, SOC2, ISO27001), and workforce credential sprawl. + +The AI agent angle is newly validated. AgentMail raised $6M in early 2026 for "email inboxes for AI agents" — agent-native infrastructure is becoming a funded category. No incumbent password manager was built for agents. They're bolting on MCP. vault1984 was designed from day one around the agent access model. + +--- + +## SMB — Small & Medium Business (1–250 employees) + +### The situation +SMBs are the fastest-growing segment for credential management. They lack dedicated security teams, use AI agents actively (Claude Code, Cursor, Codex are mainstream tools in this segment), and make purchase decisions fast. The pain: their current password manager gives agents all-or-nothing access, and nobody has verified whether the operator can read their vault. + +### Market potential +Largest volume segment. Price-sensitive but willing to pay for something that solves a real problem simply. AI-native companies in this cohort are the early adopters — they feel the agent credential problem acutely. + +### Competitors + +| Player | Pricing | AI/Agent story | Encryption | +|--------|---------|---------------|------------| +| 1Password Teams | $4/user/month | MCP plugin (bolted on) | Server can read | +| Bitwarden Teams | $4/user/month | MCP plugin (bolted on) | Server can read (hosted) | +| Dashlane Business | $5/user/month | None | Server can read | +| NordPass Business | $4/user/month | None | Zero-knowledge claim | + +**vault1984 advantage:** Designed for agent access. Superior encryption architecture. No master password friction. One binary, self-host option. + +**vault1984 gap:** No team features yet. No multi-user vault management, no user provisioning, no shared vault concept. Must be built before this segment is addressable. + +### Required features to compete +- [ ] Organization accounts (owner + members) +- [ ] Shared credential vaults (team-level, not just individual) +- [ ] Admin console — invite, remove, view audit log +- [ ] Per-user MCP token management +- [ ] Basic policy (enforce 2FA, session timeout) +- [ ] Email-based onboarding + +### Pricing opportunity +$4–6/user/month ($48–72/year) is the market rate. vault1984 at current $12/year is priced for individuals. Business pricing needs a per-seat model at market rate. The encryption story supports a small premium over Bitwarden. + +**Suggested: $5/user/month billed annually ($60/user/year).** Free trial, no minimum seats. + +--- + +## MME — Mid-Market Enterprise (250–2,000 employees) + +### The situation +Has a security team. Has procurement. Has compliance requirements. Will ask for SSO, directory sync, and audit exports before signing. AI governance is becoming a real concern here — security teams are starting to question what their AI agents can access and whether the credential store can be compelled. + +### Market potential +Slower sales cycle than SMB but much higher contract value. vault1984's "operator cannot read your passwords" architecture is a compliance advantage — it reduces the blast radius of a vendor incident and simplifies the data-in-custody conversation with auditors. + +### Competitors + +| Player | Pricing | Notable | +|--------|---------|---------| +| 1Password Business | $7/user/month | SSO, Okta integration | +| Bitwarden Enterprise | $6/user/month | SSO, SCIM, on-prem option | +| Keeper Business | $6/user/month | Compliance reporting, SIEM | +| Dashlane Business | $8/user/month | Dark web monitoring | + +**vault1984 advantage:** The encryption architecture is a compliance argument. A vendor that provably cannot read your credentials is easier to pass through legal review than one that promises not to. "Operator-blind" = smaller vendor risk exposure. + +**vault1984 gap:** SSO is table stakes at this size. No SCIM, no Okta/Azure AD integration, no compliance exports. These are hard blockers. + +### Required features to compete +- [ ] SAML 2.0 / OIDC SSO (Okta, Azure AD, Google Workspace) +- [ ] SCIM provisioning — automated user lifecycle management +- [ ] Compliance exports (audit log export, CSV/SIEM format) +- [ ] Policy enforcement at org level +- [ ] Dedicated admin console with role-based access +- [ ] SLA commitment (99.9%+) +- [ ] Custom onboarding support + +### Pricing opportunity +$6–10/user/month. SSO parity commands a small premium. The compliance story supports $8/user/month with annual commitment. + +**Suggested: $8/user/month ($96/user/year), minimum 25 seats.** Discount for 100+. + +--- + +## Enterprise (2,000+ employees) + +### The situation +Has a full security team, a PAM (Privileged Access Management) strategy, and will spend 6 months in procurement. Needs SOC 2 Type II certification, custom SLAs, dedicated support, possibly on-prem deployment. AI governance is an active concern — CISO teams are mandating controls on what AI agents can access. + +### Market potential +Smallest number of deals, largest contract value. A single enterprise contract can be $500k–$2M/year. But the sales cycle is long and the certification requirements are significant. This segment is addressable in 2–3 years, not now. + +### Competitors + +| Player | Position | Pricing | +|--------|----------|---------| +| CyberArk | PAM market leader | $100k+ contracts | +| Delinea (Thycotic) | PAM mid-tier | $50k–$200k | +| HashiCorp Vault | Secrets management (infra) | $19–29/user/month (HCP) | +| 1Password Enterprise | Password manager | Custom ($8–15/user/month typical) | +| Bitwarden Enterprise | Password manager | Custom | + +**vault1984 advantage:** The architecture argument is most compelling here — enterprises care deeply about vendor risk. A credential store the vendor cannot read is structurally better for compliance than one protected by policy. The AI agent credential management gap is also sharpest here: enterprises running large agent infrastructure need granular control. + +**vault1984 gap:** Enormous. No SOC 2, no PAM integration, no SIEM connectors (Splunk, Elastic, Sentinel), no dedicated support, no on-prem option, no custom SLA. This is a 2–3 year roadmap. + +### Required features to compete +- [ ] SOC 2 Type II certification +- [ ] PAM integration (CyberArk, Delinea) +- [ ] SIEM integration (Splunk, Elastic, Microsoft Sentinel) +- [ ] HSM support for key management +- [ ] On-premises / private cloud deployment option +- [ ] Custom SLA (99.99%+, dedicated support) +- [ ] Custom contractual terms (DPA, BAA if applicable) +- [ ] Dedicated customer success manager + +### Pricing opportunity +Custom. $10–20/user/month or six-figure annual deals for large deployments. + +--- + +## MSP — Managed Service Providers + +### ⚠️ License blocker + +**The Elastic License 2.0 prohibits MSPs from deploying vault1984 for their clients.** The ELv2 explicitly bars "providing the software to third parties as a hosted or managed service." An MSP running vault1984 instances for client organizations is exactly this scenario. + +**This segment requires a separate commercial license from vault1984.** This is actually an opportunity — sell commercial MSP licenses at a per-client or per-seat rate. The ELv2 model (free for self-use, paid commercial license for resellers) is a proven business model used by Elastic, HashiCorp, and others. + +### The situation +MSPs manage IT for 10–500 SMB clients each. They need a password manager they can deploy, manage, and bill per client. The segment is poorly served: 1Password MSP is widely considered overpriced ($5/user/month wholesale, complaints on r/msp), Bitwarden MSP exists but lacks multi-tenant management tooling, and most MSP-specific tools (N-able Passportal, CyberFOX) lack the AI agent story entirely. + +### Market potential +High. An MSP with 100 clients averaging 20 users each represents 2,000 seats. vault1984's architecture is actually perfect for MSPs — they literally cannot read their clients' passwords, which eliminates a significant liability and trust issue. "Your MSP cannot see your passwords" is a strong sales argument for the MSP to their clients. + +### Competitors + +| Player | Pricing | Notable | +|--------|---------|---------| +| 1Password MSP | ~$5/user/month wholesale | Widely seen as overpriced | +| Bitwarden MSP | ~$3/user/month | Limited multi-tenant tooling | +| N-able Passportal | ~$3/user/month | RMM integration, weak encryption | +| CyberFOX | Custom | PAM focus, PSA integration | +| IT Glue (Kaseya) | ~$29/tech/month | Documentation focus, not password-first | + +**vault1984 advantage:** Operator-blind architecture is a legal and trust advantage for MSPs. "We cannot read your clients' passwords" removes the MSP as a liability surface. Strong AI agent story is a differentiator as MSPs start managing agentic workflows for their clients. One binary + SQLite makes per-client deployment trivially simple. + +**vault1984 gap:** No white-label, no PSA/RMM integration (ConnectWise, NinjaRMM, Kaseya, HaloPSA), no multi-tenant management console, and most importantly — needs a commercial MSP license structure. + +### Required features to compete +- [ ] Commercial MSP license (separate from ELv2) +- [ ] Multi-tenant management console (deploy/manage all client vaults from one pane) +- [ ] White-label (logo, domain, email branding) +- [ ] PSA integration (ConnectWise Manage, Autotask, HaloPSA) +- [ ] RMM integration (NinjaRMM, N-able, Datto) +- [ ] Bulk billing / consolidated invoicing +- [ ] Client-level audit log access +- [ ] MSP technician access (read-only to shared team credentials, no access to Identity layer) + +### Pricing opportunity +$2–3/user/month wholesale (MSP pays), resells at $5–8/user/month to clients. Alternatively, flat fee per client vault instance. + +**Suggested commercial MSP license: $2/user/month billed to MSP, minimum 5 clients.** Volume discounts at 500+ seats. + +--- + +## Summary + +| Segment | Addressable now? | Primary gap | Revenue potential | +|---------|-----------------|-------------|-------------------| +| **SMB** | 6–12 months | Team features, multi-user | High volume, $5/user/month | +| **MME** | 12–18 months | SSO, SCIM, compliance | Medium volume, $8/user/month | +| **Enterprise** | 2–3 years | SOC2, PAM, SIEM, SLA | Low volume, high value | +| **MSP** | 6–12 months (with commercial license) | MSP license, white-label, PSA integration | High multiplier, $2–3/user/month wholesale | + +### Recommended sequencing + +1. **Now:** Lock in SMB early adopters — AI-native companies already running agents. They'll tolerate missing team features if the core product is right. Start building the waitlist. +2. **H2 2026:** Ship team features. Launch SMB pricing. Begin MSP commercial license discussions. +3. **2027:** MME features (SSO, SCIM). Begin compliance certification track. +4. **2028+:** Enterprise. + +### The structural advantage across all segments + +vault1984's architecture — operator-blind Credential and Identity encryption — is not just a marketing claim. It reduces vendor risk across every segment: +- SMB: "even if we get hacked, your passwords are safe" +- MME: smaller vendor risk surface for compliance reviews +- Enterprise: structural argument for CISO sign-off +- MSP: MSP cannot be compelled to hand over client passwords + +No incumbent can make this claim. It's the moat that scales. + +--- + +*Draft — George for Johan. Do not publish.* diff --git a/drafts/vault1984-math-vs-keys.md b/drafts/vault1984-math-vs-keys.md new file mode 100644 index 0000000..c3cf8e1 --- /dev/null +++ b/drafts/vault1984-math-vs-keys.md @@ -0,0 +1,128 @@ +# Math vs. Keys — The Numbers +*Supporting research for vault1984 copy, HN articles, and /security page* + +--- + +## The breach that keeps taking + +In August 2022, attackers exfiltrated the encrypted vault database of a leading password manager — over 25 million users' encrypted vaults. The company's response: "your vault is protected by your master password, which we never know." + +What they didn't say: if the master password is weak enough, attackers don't need to know it. They just have to guess it. Offline. Forever. Without any rate limiting. Without any lockout. The vault is on their servers now. + +**March 2025 — US federal court filing:** The FBI and Secret Service confirmed that a $150M cryptocurrency heist on January 30, 2024 — 17 months after the breach — was executed using credentials cracked from vaults stolen in 2022. The victim was the co-founder of a major cryptocurrency platform. + +**December 2025 — TRM Labs:** Cracking and draining continued through late 2025. Three years after the breach. Still ongoing. + +The encryption "worked." The problem was never the encryption. It was who held the key. + +--- + +## The cracking math + +The vault was encrypted with PBKDF2-SHA256. PBKDF2 is a "key stretching" function: it takes your master password and runs it through SHA-256 thousands of times, making brute-force attacks slower. + +The company set the default iteration count to **5,000** for browser extension users. Most users never changed it. + +**A single RTX 4090 GPU tests ~17,000 master password guesses per second** at 5,000 iterations. + +| Password type | Guesses needed | Time to crack (1× RTX 4090) | Time to crack (12× RTX 4090) | +|--------------|---------------|----------------------------|-----------------------------| +| 6 chars, lowercase | 309 million | 5 hours | 25 minutes | +| 8 chars, lowercase | 208 billion | 142 days | 12 days | +| 8 chars, mixed + numbers | 218 trillion | 408 years | 34 years | +| 8 chars, all printable | 7.2 quadrillion | 13,500 years | 1,100 years | +| Common word + numbers (e.g. "summer2019") | ~100 billion | 68 days | 6 days | +| 4 random words (Diceware) | ~7 trillion | 13 years | 1 year | +| 12+ random characters | ~10^22 | 18 billion years | 1.5 billion years | + +At 600,000 iterations (the recommended setting in 2022): multiply all times by ~120. A single RTX 4090 tests only ~140 guesses/second. + +**The key numbers:** +- Most users: 5,000 iterations, human-chosen password. Weak passwords cracked in days. Typical passwords (word+year+symbol pattern): weeks to months. +- A GPU farm of 100 cards costing ~$200,000: multiply all times by 100. +- Attackers can buy this capacity. They have 3 years of time and $150M reasons to keep buying it. +- Every vault stolen in 2022 is still being worked on. They never stop. + +--- + +## Why "more iterations" doesn't solve it + +The company eventually set the iteration count to 600,000 for new users. The security industry often cites this as "fixing" the problem. + +It doesn't. It buys time. The vault is still stolen. The master password is still the only thing protecting it. If the password is: +- In any breach database (billions of passwords are): seconds. +- A dictionary word with substitutions (p@ssw0rd, etc.): hours. +- A short human-chosen phrase: weeks to months, even at 600k iterations. +- A strong, unique, 16+ character random password: safe (for now — quantum computing is a separate conversation). + +The fundamental problem: **the vault is held hostage forever.** Attackers have it. They'll crack whatever they can crack, whenever hardware gets cheaper or techniques improve. Every vault that isn't protected by a genuinely random, unique, 16+ character master password is at ongoing risk. + +And the average person's master password is not that. + +--- + +## vault1984: why math makes it different + +vault1984's Credential and Identity fields don't use a master password as the key. The key derives from your **WebAuthn hardware authenticator's PRF output** — a 32-byte value generated by cryptographic hardware in response to a challenge, using a key that never leaves the authenticator. + +**What this means in practice:** + +The key is not a password. It has no dictionary structure. It's 256 bits of hardware-derived entropy — equivalent to a truly random 39-character password using the full printable character set. + +**The brute-force math at 256-bit key entropy:** + +| Hardware | Guesses/second | Time to crack | +|----------|---------------|---------------| +| RTX 4090 | 10^12 | 3.7 × 10^57 years | +| All GPUs on Earth (~10^9 devices) | 10^21 | 3.7 × 10^48 years | +| Hypothetical exascale cracker (10^18/sec) | 10^18 | 3.7 × 10^51 years | + +**For reference: the universe is 1.38 × 10^10 years old.** + +The time to brute-force a 256-bit key is approximately **10^41 times the age of the universe** even with every GPU on Earth working simultaneously. This isn't "very hard." This is "computationally impossible for any conceivable hardware." + +**The critical difference from the master password model:** + +With the master password model: the math buys time. Weak passwords fall quickly. Strong passwords take longer. The attacker waits. + +With vault1984's PRF-derived key: there is no password to guess. The key doesn't come from a dictionary, a brain, or a pattern. It comes from hardware. The only way to derive it is to physically possess and authenticate with the hardware authenticator. + +**Steal vault1984's database. You get:** +- Vault-layer data (titles, URLs, usernames) — encrypted with VAULT_KEY, readable with the server key +- Credential fields — 256-bit encrypted blobs. Computationally impossible to decrypt without the hardware key. +- Identity fields — same. Hardware tap required. + +There is no "crack it in 3 years." There is no "wait for better hardware." The math is categorical, not probabilistic. + +--- + +## The "cannot vs. will not" proof + +This is why vault1984 can say "cannot, not will not." + +Other password managers: "we will not read your passwords." This is a policy. It depends on the company's honesty, its employees' integrity, a court order not arriving, a breach not occurring. It's "will not" — a choice, revocable under pressure. + +vault1984: "we cannot read your Credential and Identity fields." This is math. The key was derived from your hardware and delivered to your agent tokens. Our servers held the ciphertext. We never received the key. Even if we wanted to read your passwords, even if we were compelled by court order, even if we were fully breached — we have ciphertext and no key. The math makes it impossible. + +**The five-year-old version:** +- Other managers: *"I know your secret, but I pinky-promise I won't tell."* +- vault1984: *"Your secret is in a box. I don't have the key. I can't open it even if I tried."* + +--- + +## Sources + +- Krebs on Security, March 2025: "Feds Link $150M Cyberheist to 2022 LastPass Hacks" — FBI/Secret Service court filing confirmation + https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastpass-hacks/ +- The Hacker News, December 2025: "LastPass 2022 Breach Led to Years-Long Cryptocurrency Thefts, TRM Labs Finds" + https://thehackernews.com/2025/12/lastpass-2022-breach-led-to-years-long.html +- Hive Systems, 2024: "Examining the LastPass Breach Through our Password Table" — PBKDF2 cracking rate analysis + https://www.hivesystems.com/blog/examining-the-lastpass-breach-through-our-password-table +- palant.info, December 2022: "LastPass has been breached: What now?" — Technical analysis of PBKDF2 iteration vulnerability + https://palant.info/2022/12/23/lastpass-has-been-breached-what-now/ +- Krebs on Security, September 2023: "Experts Fear Crooks Are Cracking Keys Stolen in LastPass Breach" + https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/ + +--- + +*Research draft — George for Johan. For use in HN articles, /security page, and supporting copy. Not for direct publication.* diff --git a/memory/2026-03-11.md b/memory/2026-03-11.md new file mode 100644 index 0000000..fa80a9b --- /dev/null +++ b/memory/2026-03-11.md @@ -0,0 +1,28 @@ +## Overnight Session (Mar 10→11, 8pm-4am ET) + +### George (vault1984 writer agent) — LIVE ✅ +- Discord bot created: App ID `1480980894042030211`, username `George` +- Workspace: `/home/johan/george/` (SOUL.md, USER.md, AGENTS.md written) +- OC config: discord `accounts.george` added, binding wired, gateway restarted +- Bot connected and logged in (`logged in to discord as George`) +- Johan added bot to server ~2:48am; DM path: search `George` in Discord server members + +### .17 Server — Fully Decommissioned ✅ +- Stopped and disabled: `openclaw-gateway`, `protonmail-bridge`, `message-center`, `message-bridge` +- Was running TWO conflicting instances (old `clawdbot-gateway` dead, but `openclaw-gateway` still active) +- IMAP cursor conflict risk resolved + +### Kaseya M365 Integration — Removed ✅ +- Dead since Feb 27 (refresh token expired, client_id `1fec8e78-bce4-4aaf-ab1b-5451cc387264` blocked by Kaseya IT) +- Attempted: device code flow, auth code flow, MSAL cache extraction from OWA — all blocked/encrypted +- Johan's decision: remove all Kaseya code from MC rather than continue hacking +- Config, binary, token file all cleaned up; MC rebuilt and restarted + +### Spacebot/Andrew — Updated to v0.3.2 ✅ +- Johan explicitly authorized update (breaking HEARTBEAT.md hold) +- `docker pull` + `docker run` with same config — healthy on .17:19898 +- Check if worker dispatch bug (PR #193) fixed in this release + +### Memory/Model Notes +- Johan LPF background (Provinciale Staten Flevoland, 2002-2006) added to `memory/johan-model.md` +- Moved to US 2013, same year Iaso Backup acquired diff --git a/memory/claude-usage.db b/memory/claude-usage.db index 682839b..431f5a9 100644 Binary files a/memory/claude-usage.db and b/memory/claude-usage.db differ diff --git a/memory/claude-usage.json b/memory/claude-usage.json index ea79469..0e0a82b 100644 --- a/memory/claude-usage.json +++ b/memory/claude-usage.json @@ -1,9 +1,9 @@ { - "last_updated": "2026-03-11T04:00:01.496943Z", + "last_updated": "2026-03-11T10:00:01.381129Z", "source": "api", - "session_percent": 8, - "session_resets": "2026-03-11T05:00:00.448498+00:00", - "weekly_percent": 71, - "weekly_resets": "2026-03-13T03:00:00.448519+00:00", - "sonnet_percent": 55 + "session_percent": 0, + "session_resets": "2026-03-11T15:00:00.339168+00:00", + "weekly_percent": 76, + "weekly_resets": "2026-03-13T03:00:00.339195+00:00", + "sonnet_percent": 60 } \ No newline at end of file