chore: auto-commit uncommitted changes

2026-03-18 06:02:45 -04:00 · 2026-03-18 06:02:45 -04:00 · 607d5e64f7
parent 508bfdd176
commit 607d5e64f7
8 changed files with 170 additions and 70 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@ -74,8 +74,35 @@ Choke points:

 **Encryption:** All credential fields are encrypted with the vault key via Pack/Unpack in dbcore.go. This is the ONLY encryption path. Never encrypt/decrypt fields outside of it.

+## Session & Key Architecture (DO NOT VIOLATE)
+
+**One session key, one salt, one source of truth.**
+
+- Session key: `v1984_master` in `sessionStorage` — 32-byte master secret, base64-encoded
+- HKDF salt: `vault1984-master-v2` — used everywhere, no alternatives
+- L1 = bytes[0..8], L2 = bytes[0..16], L3 = bytes[0..32] — all derived from `v1984_master`
+- **webauthn.js** is the ONLY module that derives and stores the master key
+- **topbar.js** is the ONLY module that clears it (on lock/logout/401)
+- **crypto.js** is the ONLY module that encrypts/decrypts fields — shared between CLI and browser
+
+**Rules:**
+- NEVER create a second session key (no `v1984_l2key`, no `v1984_foo`)
+- NEVER derive keys with a different salt
+- NEVER derive or store keys outside webauthn.js
+- NEVER encrypt/decrypt outside crypto.js
+- Registration = unlocked. One tap stores the master key. No second tap.
+- `isUnlocked()` checks sessionStorage — if false, user is logged out
+
+**Shared JS (crypto/ directory):**
+- `crypto/crypto.js` and `crypto/totp.js` are the source of truth
+- Makefile copies them to `app/cmd/vault1984/web/` before building
+- NEVER edit the copies in `web/` directly — edit `crypto/` and rebuild
+- CLI (QuickJS) and browser (Web Crypto) use the same code
+
 ## Key Files

- `L2_AGENT_ENCRYPTION.md` — WebAuthn L2 encryption spec
+- `L2_AGENT_ENCRYPTION.md` — WebAuthn L2 encryption spec (SUPERSEDED by truncation model)
 - `docs/` — architecture docs
 - `app/cmd/vault1984` — main entry point
+- `crypto/` — shared JS crypto (source of truth for CLI + browser)
+- `cli/` — vault1984-cli (C + QuickJS + BearSSL)
--- a/1
+++ b/1
@ -31,6 +31,7 @@ GOFLAGS     := -trimpath
 all: app website

 app:
+	cp crypto/*.js $(APP_DIR)/cmd/vault1984/web/
 	cd $(APP_DIR) && go build $(GOFLAGS) -ldflags '$(LDFLAGS)' -o vault1984 $(APP_ENTRY)
 	@echo "built $(APP_BIN) (FIPS)"

--- a/marketing/images/twitter-banner-v2.jpg
+++ b/marketing/images/twitter-banner-v2.jpg
--- a/marketing/images/twitter-banner-v2.png
+++ b/marketing/images/twitter-banner-v2.png
--- a/marketing/images/twitter-banner.jpg
+++ b/marketing/images/twitter-banner.jpg
--- a/marketing/images/twitter-banner.png
+++ b/marketing/images/twitter-banner.png
--- a/marketing/vault1984-twitter-schedule.html
+++ b/marketing/vault1984-twitter-schedule.html
@ -13,9 +13,9 @@
  .week-label { font-size: 11px; text-transform: uppercase; letter-spacing: 2px; color: #555; margin-bottom: 16px; border-bottom: 1px solid #222; padding-bottom: 8px; }
  .posts { display: flex; flex-direction: column; gap: 16px; }
  .post { display: grid; grid-template-columns: 180px 1fr 280px; gap: 20px; background: #161616; border: 1px solid #222; border-radius: 10px; padding: 20px; align-items: start; }
-  .post.posted  { border-left: 3px solid #1d9bf0; }
+  .post.posted    { border-left: 3px solid #1d9bf0; }
  .post.scheduled { border-left: 3px solid #555; }
-  .post.pending { border-left: 3px solid #333; opacity: 0.7; }
+  .post.pending   { border-left: 3px solid #333; opacity: 0.7; }
  .meta { display: flex; flex-direction: column; gap: 6px; }
  .date { font-size: 15px; font-weight: 600; color: #fff; }
  .time { font-size: 13px; color: #888; }
@ -24,7 +24,6 @@
  .zh { background: #3a1a1a; color: #f07b7b; }
  .de { background: #1a2e1a; color: #7bf07b; }
  .pt { background: #2e2a1a; color: #f0d07b; }
-  .es { background: #2e1a2e; color: #d07bf0; }
  .status { font-size: 11px; text-transform: uppercase; letter-spacing: 1px; margin-top: 8px; }
  .status.live   { color: #1d9bf0; }
  .status.queued { color: #aaa; }
@ -33,9 +32,7 @@
  .hashtags { color: #1d9bf0; }
  .city-img { width: 100%; }
  .city-img img { width: 100%; border-radius: 8px; display: block; aspect-ratio: 16/9; object-fit: cover; }
-  @media (max-width: 800px) {
-    .post { grid-template-columns: 1fr; }
-  }
+  @media (max-width: 800px) { .post { grid-template-columns: 1fr; } }
 </style>
 </head>
 <body>
@ -70,7 +67,7 @@ Free till May 1st.
        <div class="status queued">⏳ Scheduled</div>
      </div>
      <div class="tweet-text">Your password manager can read your passwords. The company running it just chooses not to.
-vault1984 is a password manager built so the operator cannot read your vault — and your AI agents can use it without anyone else seeing what's inside.
+vault1984 is a password manager built so the operator cannot — not won't — read your vault. Your AI agents use it from Southeast Asia at local latency. Nobody else sees inside.
 Now live in Singapore 🇸🇬 — free till May 1st.
 <span class="hashtags">#Singapore #cybersecurity</span></div>
      <div class="city-img"><img src="images/singapore.jpg" alt="Singapore"></div>
@ -97,9 +94,9 @@ vault1984 是一款密码管理器 — 你的 AI 助手可以使用它，而运
        <span class="lang-badge en">EN</span>
        <div class="status queued">⏳ Scheduled</div>
      </div>
-      <div class="tweet-text">LastPass: breached. Your current password manager: can read your vault.
-vault1984 just landed in Zürich 🇨🇭 — a password manager your AI agents can use, that the operator cannot read.
-Swiss law. No CLOUD Act. Free till May 1st.
+      <div class="tweet-text">LastPass got breached. Your current password manager can read your vault.
+vault1984 just landed in Zürich 🇨🇭 — your vault in Europe, your AI agents the only ones with the key. Steal the database. You get ciphertext.
+Free till May 1st.
 <span class="hashtags">#Switzerland #privacy</span></div>
      <div class="city-img"><img src="images/zurich.jpg" alt="Zürich"></div>
    </div>
@ -111,9 +108,9 @@ Swiss law. No CLOUD Act. Free till May 1st.
        <span class="lang-badge de">DE</span>
        <div class="status queued">⏳ Scheduled</div>
      </div>
-      <div class="tweet-text">LastPass: gehackt. Dein aktueller Passwort-Manager: kann deinen Tresor lesen.
-vault1984 ist jetzt in Zürich 🇨🇭 — ein Passwort-Manager für deine KI-Agenten, den der Betreiber nicht lesen kann.
-Schweizer Recht. Kein CLOUD Act. Kostenlos bis 1. Mai.
+      <div class="tweet-text">LastPass wurde gehackt. Dein Passwort-Manager kann deinen Tresor lesen.
+vault1984 ist jetzt in Zürich 🇨🇭 — deine KI-Agenten haben Zugriff. Niemand sonst. Die Datenbank klauen? Du bekommst Rauschen.
+Kostenlos bis 1. Mai.
 <span class="hashtags">#Schweiz #Datenschutz</span></div>
      <div class="city-img"><img src="images/zurich.jpg" alt="Zürich"></div>
    </div>
@ -123,7 +120,7 @@ Schweizer Recht. Kein CLOUD Act. Kostenlos bis 1. Mai.

 <!-- SAO PAULO -->
 <div class="week">
-  <div class="week-label">São Paulo — Date TBD (settling period)</div>
+  <div class="week-label">São Paulo — Date TBD</div>
  <div class="posts">

    <div class="post pending">
@ -132,10 +129,11 @@ Schweizer Recht. Kein CLOUD Act. Kostenlos bis 1. Mai.
        <span class="lang-badge en">EN</span>
        <div class="status tbd">— Pending</div>
      </div>
-      <div class="tweet-text">Brazil has 215 million people and a data privacy law with teeth.
-vault1984 just landed in São Paulo 🇧🇷 — your passwords encrypted locally, your vault in-country, your AI agents the only ones with the key.
+      <div class="tweet-text">Your password manager's server is probably in Virginia. Your vault is readable by whoever runs it.
+vault1984 just landed in São Paulo 🇧🇷 — your data on your continent, your AI agents the only ones with the key.
+Steal the database. You get noise.
 Free till May 1st.
-<span class="hashtags">#Brazil #LGPD #privacy</span></div>
+<span class="hashtags">#Brazil #AIagents #privacy</span></div>
      <div class="city-img"><img src="images/sao-paulo.jpg" alt="São Paulo"></div>
    </div>

@ -145,10 +143,11 @@ Free till May 1st.
        <span class="lang-badge pt">PT</span>
        <div class="status tbd">— Pending</div>
      </div>
-      <div class="tweet-text">O Brasil tem 215 milhões de pessoas e uma lei de privacidade com dentes.
-vault1984 chegou em São Paulo 🇧🇷 — suas senhas criptografadas localmente, seu cofre no país, seus agentes de IA os únicos com a chave.
+      <div class="tweet-text">O servidor do seu gerenciador de senhas provavelmente está na Virgínia. E o operador pode ler tudo.
+vault1984 chegou em São Paulo 🇧🇷 — seus dados no seu continente, seus agentes de IA os únicos com a chave.
+Roube o banco de dados. Você obtém ruído.
 Grátis até 1º de maio.
-<span class="hashtags">#Brazil #LGPD #privacidade</span></div>
+<span class="hashtags">#Brazil #AIagents #privacidade</span></div>
      <div class="city-img"><img src="images/sao-paulo.jpg" alt="São Paulo"></div>
    </div>

@ -162,39 +161,40 @@ Grátis até 1º de maio.

    <div class="post pending">
      <div class="meta"><div class="date">London 🇬🇧</div><span class="lang-badge en">EN</span><div class="status tbd">— Pending</div></div>
-      <div class="tweet-text">Your bank is in London. Your law firm runs AI agents on client data. Your password manager's server is in Virginia.
-vault1984 just landed in London 🇬🇧 — your vault in-jurisdiction, your agents the only ones with the key.
-Free till May 1st. <span class="hashtags">#UK #privacy #AIagents</span></div>
+      <div class="tweet-text">Your bank is in London. Your law firm runs AI agents on client data. Your password manager's server is in Virginia — and whoever runs it can read every credential.
+vault1984 just landed in London 🇬🇧 — your agents get access. Nobody else does. Ever.
+Free till May 1st. <span class="hashtags">#UK #AIagents #cybersecurity</span></div>
      <div class="city-img"><img src="images/london.jpg" alt="London"></div>
    </div>

    <div class="post pending">
      <div class="meta"><div class="date">Stockholm 🇸🇪</div><span class="lang-badge en">EN</span><div class="status tbd">— Pending</div></div>
-      <div class="tweet-text">Sweden gave the world GDPR's spirit. Now vault1984 gives Sweden a vault the operator cannot read.
-Live in Stockholm 🇸🇪 — free till May 1st. <span class="hashtags">#Sweden #GDPR #privacy</span></div>
+      <div class="tweet-text">Most password managers are built on a promise: "we won't look."
+vault1984 is built so we can't. Your vault in Stockholm 🇸🇪 — encrypted so the operator sees only ciphertext. Your AI agents are the only key.
+Free till May 1st. <span class="hashtags">#Sweden #AIagents #privacy</span></div>
      <div class="city-img"><img src="images/stockholm.jpg" alt="Stockholm"></div>
    </div>

    <div class="post pending">
      <div class="meta"><div class="date">Dubai 🇦🇪</div><span class="lang-badge en">EN</span><div class="status tbd">— Pending</div></div>
-      <div class="tweet-text">The Middle East is spending billions on AI. Your AI agents need credentials. Those credentials need a vault the operator cannot read.
-vault1984 is live in Dubai 🇦🇪 — built for the age of agents.
-Free till May 1st. <span class="hashtags">#UAE #Dubai #AIagents</span></div>
+      <div class="tweet-text">The Middle East is spending billions on AI. Your agents need credentials. Those credentials live on a server somebody else can read.
+vault1984 is live in Dubai 🇦🇪 — the vault your agents use that the operator cannot open. Architecture, not policy.
+Free till May 1st. <span class="hashtags">#UAE #AIagents #cybersecurity</span></div>
      <div class="city-img"><img src="images/dubai.jpg" alt="Dubai"></div>
    </div>

    <div class="post pending">
      <div class="meta"><div class="date">Lagos 🇳🇬</div><span class="lang-badge en">EN</span><div class="status tbd">— Pending</div></div>
-      <div class="tweet-text">Africa's AI moment is here. Your agents shouldn't be handing credentials to a server in Virginia.
-vault1984 is live in Lagos 🇳🇬 — your vault on your continent, readable only by you and your AI.
-Free till May 1st. <span class="hashtags">#Nigeria #Africa #AIagents</span></div>
+      <div class="tweet-text">Africa's AI moment is here. Your agents are running. Your credentials are on a server somebody else controls.
+vault1984 is live in Lagos 🇳🇬 — your vault on your continent, low latency for African agents. Steal it. You get ciphertext.
+Free till May 1st. <span class="hashtags">#Nigeria #AIagents #cybersecurity</span></div>
      <div class="city-img"><img src="images/lagos.jpg" alt="Lagos"></div>
    </div>

    <div class="post pending">
      <div class="meta"><div class="date">Tokyo 🇯🇵</div><span class="lang-badge en">EN</span><div class="status tbd">— Pending</div></div>
      <div class="tweet-text">Japan's enterprise AI adoption is accelerating. Every agent workflow that touches credentials needs a vault the operator cannot read.
-vault1984 just landed in Tokyo 🇯🇵 — your agents get access. Nobody else does.
+vault1984 just landed in Tokyo 🇯🇵 — low latency for your agents, zero access for the operator. Not us, not anyone.
 Free till May 1st. <span class="hashtags">#Japan #AIagents #cybersecurity</span></div>
      <div class="city-img"><img src="images/tokyo.jpg" alt="Tokyo"></div>
    </div>
@ -202,115 +202,118 @@ Free till May 1st. <span class="hashtags">#Japan #AIagents #cybersecurity</span>
    <div class="post pending">
      <div class="meta"><div class="date">Mumbai 🇮🇳</div><span class="lang-badge en">EN</span><div class="status tbd">— Pending</div></div>
      <div class="tweet-text">India has the largest developer community in the world. They're building AI agents. Those agents need credentials. Those credentials need a vault nobody else can read.
-vault1984 is live in Mumbai 🇮🇳 — free till May 1st.
-<span class="hashtags">#India #AIagents #cybersecurity</span></div>
+vault1984 is live in Mumbai 🇮🇳 — low latency for your agents in South Asia, operator-blind. Always.
+Free till May 1st. <span class="hashtags">#India #AIagents #cybersecurity</span></div>
      <div class="city-img"><img src="images/mumbai.jpg" alt="Mumbai"></div>
    </div>

    <div class="post pending">
      <div class="meta"><div class="date">Seoul 🇰🇷</div><span class="lang-badge en">EN</span><div class="status tbd">— Pending</div></div>
-      <div class="tweet-text">Samsung, LG, Kakao — Korea's enterprises are deploying AI agents at scale. Every one of them needs credentials. vault1984 is the vault those agents can use and the operator cannot read.
-Live in Seoul 🇰🇷 — free till May 1st. <span class="hashtags">#Korea #AIagents #cybersecurity</span></div>
+      <div class="tweet-text">Samsung, LG, Kakao — Korea's enterprises are deploying AI agents at scale. Every one needs credentials. Every one needs a vault the operator cannot read.
+vault1984 is live in Seoul 🇰🇷 — local latency for your agents, operator-blind by architecture.
+Free till May 1st. <span class="hashtags">#Korea #AIagents #cybersecurity</span></div>
      <div class="city-img"><img src="images/seoul.jpg" alt="Seoul"></div>
    </div>

    <div class="post pending">
      <div class="meta"><div class="date">Sydney 🇦🇺</div><span class="lang-badge en">EN</span><div class="status tbd">— Pending</div></div>
-      <div class="tweet-text">Australia's AI adoption is outpacing its security infrastructure. Your agents are already running. Is your vault operator-blind?
-vault1984 is live in Sydney 🇦🇺 — local, encrypted, agent-ready.
-Free till May 1st. <span class="hashtags">#Australia #AIagents #privacy</span></div>
+      <div class="tweet-text">Your AI agents are already running. Is your vault operator-blind?
+vault1984 is live in Sydney 🇦🇺 — local latency, encrypted vault, agent-ready. The operator sees ciphertext. That's it.
+Free till May 1st. <span class="hashtags">#Australia #AIagents #cybersecurity</span></div>
      <div class="city-img"><img src="images/sydney.jpg" alt="Sydney"></div>
    </div>

    <div class="post pending">
      <div class="meta"><div class="date">Istanbul 🇹🇷</div><span class="lang-badge en">EN</span><div class="status tbd">— Pending</div></div>
-      <div class="tweet-text">Turkey sits between Europe and Asia. Its AI startup scene is growing fast. Your agents need credentials. Those credentials need a vault the platform cannot read.
-vault1984 is live in Istanbul 🇹🇷 — encrypted, local, agent-ready.
+      <div class="tweet-text">Turkey's AI startup scene is moving fast. Your agents need credentials that live somewhere the platform can't read.
+vault1984 is live in Istanbul 🇹🇷 — encrypted so the operator sees nothing. Your agents are the only key.
 Free till May 1st. <span class="hashtags">#Turkey #AIagents #cybersecurity</span></div>
      <div class="city-img"><img src="images/istanbul.jpg" alt="Istanbul"></div>
    </div>

    <div class="post pending">
      <div class="meta"><div class="date">Nairobi 🇰🇪</div><span class="lang-badge en">EN</span><div class="status tbd">— Pending</div></div>
-      <div class="tweet-text">Nairobi is East Africa's tech capital. Its builders are skipping the old stack entirely — straight to AI agents.
-vault1984 is live in Nairobi 🇰🇪 — the credential vault your agents use, that nobody else can read.
-Free till May 1st. <span class="hashtags">#Kenya #Africa #AIagents</span></div>
+      <div class="tweet-text">Nairobi's builders are skipping the old stack — straight to AI agents. Those agents need credentials that the platform hosting them cannot read.
+vault1984 is live in Nairobi 🇰🇪 — your vault close to where your agents run. Operator-blind.
+Free till May 1st. <span class="hashtags">#Kenya #AIagents #cybersecurity</span></div>
      <div class="city-img"><img src="images/nairobi.jpg" alt="Nairobi"></div>
    </div>

    <div class="post pending">
      <div class="meta"><div class="date">Cape Town 🇿🇦</div><span class="lang-badge en">EN</span><div class="status tbd">— Pending</div></div>
-      <div class="tweet-text">South Africa has some of Africa's strictest data laws. vault1984 just made compliance easier.
-Live in Cape Town 🇿🇦 — your vault, your jurisdiction, your AI.
-Free till May 1st. <span class="hashtags">#SouthAfrica #POPIA #privacy</span></div>
+      <div class="tweet-text">It doesn't matter where your vault lives if the operator can read it. vault1984 just landed in Cape Town 🇿🇦 — your data in-region, encrypted so we see only ciphertext. Subpoena us. We hand over noise.
+Free till May 1st. <span class="hashtags">#SouthAfrica #AIagents #privacy</span></div>
      <div class="city-img"><img src="images/cape-town.jpg" alt="Cape Town"></div>
    </div>

    <div class="post pending">
      <div class="meta"><div class="date">Madrid 🇪🇸</div><span class="lang-badge en">EN</span><div class="status tbd">— Pending</div></div>
-      <div class="tweet-text">GDPR wasn't enough. You still trust your password manager to not look inside.
-vault1984 just landed in Madrid 🇪🇸 — architecturally operator-blind.
-Free till May 1st. <span class="hashtags">#Spain #GDPR #privacy</span></div>
+      <div class="tweet-text">GDPR says companies must protect your data. It doesn't say they can't read it.
+vault1984 just landed in Madrid 🇪🇸 — built so the operator architecturally cannot. Your agents use it. Nobody else sees inside.
+Free till May 1st. <span class="hashtags">#Spain #AIagents #privacy</span></div>
      <div class="city-img"><img src="images/madrid.jpg" alt="Madrid"></div>
    </div>

    <div class="post pending">
      <div class="meta"><div class="date">Montréal 🇨🇦</div><span class="lang-badge en">EN</span><div class="status tbd">— Pending</div></div>
-      <div class="tweet-text">Canada's Law 25 is North America's strictest privacy law. vault1984 just made it irrelevant — we can't read your data anyway.
-Live in Montréal 🇨🇦 — free till May 1st. <span class="hashtags">#Canada #privacy #cybersecurity</span></div>
+      <div class="tweet-text">Privacy laws tell companies how to handle your data. They don't stop companies from reading it.
+vault1984 just landed in Montréal 🇨🇦 — the vault that's operator-blind by design. Your agents get in. We don't.
+Free till May 1st. <span class="hashtags">#Canada #AIagents #privacy</span></div>
      <div class="city-img"><img src="images/montreal.jpg" alt="Montréal"></div>
    </div>

    <div class="post pending">
      <div class="meta"><div class="date">Mexico City 🇲🇽</div><span class="lang-badge en">EN</span><div class="status tbd">— Pending</div></div>
-      <div class="tweet-text">Latin America's largest city. Your data doesn't need to leave it.
-vault1984 is live in Mexico City 🇲🇽 — operator-blind password management, finally in your timezone.
-Free till May 1st. <span class="hashtags">#Mexico #privacy #cybersecurity</span></div>
+      <div class="tweet-text">Latin America's largest city. Its developers are building AI agents at speed. Those agents hand credentials to servers somebody else controls.
+vault1984 is live in Mexico City 🇲🇽 — operator-blind, agent-ready.
+Free till May 1st. <span class="hashtags">#Mexico #AIagents #cybersecurity</span></div>
      <div class="city-img"><img src="images/mexico-city.jpg" alt="Mexico City"></div>
    </div>

    <div class="post pending">
      <div class="meta"><div class="date">Bogotá 🇨🇴</div><span class="lang-badge en">EN</span><div class="status tbd">— Pending</div></div>
-      <div class="tweet-text">Colombia's Habeas Data law protects your personal data. vault1984 takes it further — we can't read it regardless.
-Live in Bogotá 🇨🇴 — free till May 1st. <span class="hashtags">#Colombia #privacy</span></div>
+      <div class="tweet-text">Your credentials live on a server. That server has an operator. That operator can read your vault.
+vault1984 is live in Bogotá 🇨🇴 — built so the operator cannot. Steal the database. You get ciphertext.
+Free till May 1st. <span class="hashtags">#Colombia #AIagents #privacy</span></div>
      <div class="city-img"><img src="images/bogota.jpg" alt="Bogotá"></div>
    </div>

    <div class="post pending">
      <div class="meta"><div class="date">Santiago 🇨🇱</div><span class="lang-badge en">EN</span><div class="status tbd">— Pending</div></div>
-      <div class="tweet-text">Chile just passed South America's most comprehensive privacy law. vault1984 already meets it — architecturally.
-Live in Santiago 🇨🇱 — free till May 1st. <span class="hashtags">#Chile #privacy #cybersecurity</span></div>
+      <div class="tweet-text">Every password manager promises to protect your data. vault1984 is built so we can't betray that promise even if we wanted to.
+Live in Santiago 🇨🇱 — your agents hold the key. We hold ciphertext.
+Free till May 1st. <span class="hashtags">#Chile #AIagents #privacy</span></div>
      <div class="city-img"><img src="images/santiago.jpg" alt="Santiago"></div>
    </div>

    <div class="post pending">
      <div class="meta"><div class="date">Hong Kong 🇭🇰</div><span class="lang-badge en">EN</span><div class="status tbd">— Pending</div></div>
-      <div class="tweet-text">When the rules change, your vault shouldn't be readable by anyone.
-vault1984 is live in Hong Kong 🇭🇰 — encrypted so the operator sees only ciphertext.
-Free till May 1st. <span class="hashtags">#HongKong #privacy #cybersecurity</span></div>
+      <div class="tweet-text">When the rules change overnight, your vault shouldn't be readable by whoever runs the server.
+vault1984 is live in Hong Kong 🇭🇰 — encrypted so the operator sees only ciphertext. Always. Regardless of what anyone asks.
+Free till May 1st. <span class="hashtags">#HongKong #AIagents #privacy</span></div>
      <div class="city-img"><img src="images/hong-kong.jpg" alt="Hong Kong"></div>
    </div>

    <div class="post pending">
      <div class="meta"><div class="date">San Francisco 🇺🇸</div><span class="lang-badge en">EN</span><div class="status tbd">— Pending</div></div>
-      <div class="tweet-text">You're in SF. You're building agents. You're handing them credentials stored on someone else's server.
-vault1984 is the vault your agents use that the operator cannot read — now live in San Francisco 🇺🇸
+      <div class="tweet-text">You're building agents. You're handing them credentials stored on someone else's server — which that someone can read.
+vault1984 is live in San Francisco 🇺🇸 — the vault your agents use at West Coast latency, that the operator cannot open.
 Free till May 1st. <span class="hashtags">#SF #AIagents #buildinpublic</span></div>
      <div class="city-img"><img src="images/san-francisco.jpg" alt="San Francisco"></div>
    </div>

    <div class="post pending">
      <div class="meta"><div class="date">Buenos Aires 🇦🇷</div><span class="lang-badge en">EN</span><div class="status tbd">— Pending</div></div>
-      <div class="tweet-text">Argentina's PDPA was ahead of its time. vault1984 is further ahead — the operator cannot be compelled to hand over what it cannot read.
-Live in Buenos Aires 🇦🇷 — free till May 1st. <span class="hashtags">#Argentina #privacy #cybersecurity</span></div>
+      <div class="tweet-text">Every password manager has one structural problem: the operator can read your vault. Laws don't fix that. Architecture does.
+vault1984 is live in Buenos Aires 🇦🇷 — operator-blind by design. Your agents hold the key. We hold noise.
+Free till May 1st. <span class="hashtags">#Argentina #AIagents #privacy</span></div>
      <div class="city-img"><img src="images/buenos-aires.jpg" alt="Buenos Aires"></div>
    </div>

    <div class="post pending">
      <div class="meta"><div class="date">Auckland 🇳🇿</div><span class="lang-badge en">EN</span><div class="status tbd">— Pending</div></div>
-      <div class="tweet-text">New Zealand is part of the Five Eyes surveillance alliance.
-vault1984 just landed in Auckland 🇳🇿 anyway — because we can't read your vault regardless of who asks.
-Free till May 1st. <span class="hashtags">#NewZealand #FiveEyes #privacy</span></div>
+      <div class="tweet-text">Five Eyes, three eyes, one eye — doesn't matter. vault1984 just landed in Auckland 🇳🇿. Subpoena us. We hand over ciphertext. That's not a legal position. It's architecture.
+Free till May 1st. <span class="hashtags">#NewZealand #AIagents #privacy</span></div>
      <div class="city-img"><img src="images/auckland.jpg" alt="Auckland"></div>
    </div>

--- a/marketing/vault1984-vision.md
+++ b/marketing/vault1984-vision.md
@ -0,0 +1,69 @@
+# vault1984 — Vision Statement
+
+*"If you want to keep a secret, you must also hide it from yourself."*
+— George Orwell
+
+We built a password manager that takes that literally.
+
+---
+
+## What we built
+
+A password manager where the operator cannot read your vault. Not policy. Not a promise. Architecture. The server holds your data and nothing else. Steal the database. You get ciphertext.
+
+Your AI agents authenticate against it, retrieve credentials, and operate autonomously. Nobody else sees inside. Not us, not anyone with a subpoena, not a breach.
+
+We open-sourced it. You don't have to trust us — you can read the proof.
+
+---
+
+## The demoralizing lead
+
+vault1984 is built to lead in ways that are irrational to chase.
+
+**Global infrastructure no competitor has built**
+22 regions. Every continent. Local providers in markets the major clouds don't reach — Lagos, Nairobi, and beyond. Low latency wherever your agents run. No competitor is close. Every month, the gap widens.
+
+**Architecture the incumbents cannot copy**
+1Password, Bitwarden, Dashlane — they can read your vault. They choose not to. To give you what vault1984 gives you, they'd have to deprecate every existing vault, migrate every user, and rebuild from scratch. That's not a roadmap item. That's a company-ending decision. They are structurally, permanently trapped.
+
+**The lowest price in the world**
+$12/year, hosted. Free to self-host. 1Password charges three times that — and reads your vault. Our price is not a promotion. It's a structural weapon: defensible at scale, irrational to match at zero.
+
+**Agent-native from day one**
+Every other password manager was built for humans clicking into browsers. vault1984 was built for agents — API-first, MCP-native, designed for autonomous workflows. Everyone else is retrofitting. We shipped the category.
+
+**Open source, Elastic-licensed**
+The code is public. Security researchers audit it. Developers integrate it. The community compounds. And the Elastic license means competitors can read every line — but cannot commercially repackage what we built. They can study the map. They cannot copy the territory.
+
+---
+
+## Two types of competition. Neither can win.
+
+**Incumbents** are architecturally trapped. Fixing their fundamental problem destroys their existing product. They know it. We know it. Their users will eventually know it.
+
+**Copycats** face five simultaneous problems with no shortcuts:
+- Infrastructure that took years to build across 22 regions with local providers
+- Trust that only time-in-market and independent audits produce
+- A price floor that requires scale they don't have
+- An agent ecosystem and integration surface that compounds daily
+- A license that prohibits commercializing our code
+
+The expected value of competing with vault1984 is negative. That is not an accident.
+
+---
+
+## Who this is for
+
+Anyone who got a LastPass breach email.
+Any developer building AI agents that touch credentials.
+Any enterprise running autonomous workflows and asking "who else can see this?"
+Any individual who understood what "the company can read your vault" actually means.
+
+The answer to all of them is the same:
+
+**vault1984. The operator cannot read it. Anywhere in the world. At the lowest price. Verifiably.**
+
+---
+
+*vault1984 · vault1984.com · @vault1984*