diff --git a/CLAUDE.md b/CLAUDE.md index 57bff24..5e744c4 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -74,8 +74,35 @@ Choke points: **Encryption:** All credential fields are encrypted with the vault key via Pack/Unpack in dbcore.go. This is the ONLY encryption path. Never encrypt/decrypt fields outside of it. +## Session & Key Architecture (DO NOT VIOLATE) + +**One session key, one salt, one source of truth.** + +- Session key: `v1984_master` in `sessionStorage` — 32-byte master secret, base64-encoded +- HKDF salt: `vault1984-master-v2` — used everywhere, no alternatives +- L1 = bytes[0..8], L2 = bytes[0..16], L3 = bytes[0..32] — all derived from `v1984_master` +- **webauthn.js** is the ONLY module that derives and stores the master key +- **topbar.js** is the ONLY module that clears it (on lock/logout/401) +- **crypto.js** is the ONLY module that encrypts/decrypts fields — shared between CLI and browser + +**Rules:** +- NEVER create a second session key (no `v1984_l2key`, no `v1984_foo`) +- NEVER derive keys with a different salt +- NEVER derive or store keys outside webauthn.js +- NEVER encrypt/decrypt outside crypto.js +- Registration = unlocked. One tap stores the master key. No second tap. +- `isUnlocked()` checks sessionStorage — if false, user is logged out + +**Shared JS (crypto/ directory):** +- `crypto/crypto.js` and `crypto/totp.js` are the source of truth +- Makefile copies them to `app/cmd/vault1984/web/` before building +- NEVER edit the copies in `web/` directly — edit `crypto/` and rebuild +- CLI (QuickJS) and browser (Web Crypto) use the same code + ## Key Files -- `L2_AGENT_ENCRYPTION.md` — WebAuthn L2 encryption spec +- `L2_AGENT_ENCRYPTION.md` — WebAuthn L2 encryption spec (SUPERSEDED by truncation model) - `docs/` — architecture docs - `app/cmd/vault1984` — main entry point +- `crypto/` — shared JS crypto (source of truth for CLI + browser) +- `cli/` — vault1984-cli (C + QuickJS + BearSSL) diff --git a/Makefile b/Makefile index a9f4d55..6057336 100644 --- a/Makefile +++ b/Makefile @@ -31,6 +31,7 @@ GOFLAGS := -trimpath all: app website app: + cp crypto/*.js $(APP_DIR)/cmd/vault1984/web/ cd $(APP_DIR) && go build $(GOFLAGS) -ldflags '$(LDFLAGS)' -o vault1984 $(APP_ENTRY) @echo "built $(APP_BIN) (FIPS)" diff --git a/marketing/images/twitter-banner-v2.jpg b/marketing/images/twitter-banner-v2.jpg new file mode 100644 index 0000000..7ceb2d6 Binary files /dev/null and b/marketing/images/twitter-banner-v2.jpg differ diff --git a/marketing/images/twitter-banner-v2.png b/marketing/images/twitter-banner-v2.png new file mode 100644 index 0000000..79b64da Binary files /dev/null and b/marketing/images/twitter-banner-v2.png differ diff --git a/marketing/images/twitter-banner.jpg b/marketing/images/twitter-banner.jpg new file mode 100644 index 0000000..a85543a Binary files /dev/null and b/marketing/images/twitter-banner.jpg differ diff --git a/marketing/images/twitter-banner.png b/marketing/images/twitter-banner.png new file mode 100644 index 0000000..167a892 Binary files /dev/null and b/marketing/images/twitter-banner.png differ diff --git a/marketing/vault1984-twitter-schedule.html b/marketing/vault1984-twitter-schedule.html index ff12960..cc4736f 100644 --- a/marketing/vault1984-twitter-schedule.html +++ b/marketing/vault1984-twitter-schedule.html @@ -13,9 +13,9 @@ .week-label { font-size: 11px; text-transform: uppercase; letter-spacing: 2px; color: #555; margin-bottom: 16px; border-bottom: 1px solid #222; padding-bottom: 8px; } .posts { display: flex; flex-direction: column; gap: 16px; } .post { display: grid; grid-template-columns: 180px 1fr 280px; gap: 20px; background: #161616; border: 1px solid #222; border-radius: 10px; padding: 20px; align-items: start; } - .post.posted { border-left: 3px solid #1d9bf0; } + .post.posted { border-left: 3px solid #1d9bf0; } .post.scheduled { border-left: 3px solid #555; } - .post.pending { border-left: 3px solid #333; opacity: 0.7; } + .post.pending { border-left: 3px solid #333; opacity: 0.7; } .meta { display: flex; flex-direction: column; gap: 6px; } .date { font-size: 15px; font-weight: 600; color: #fff; } .time { font-size: 13px; color: #888; } @@ -24,7 +24,6 @@ .zh { background: #3a1a1a; color: #f07b7b; } .de { background: #1a2e1a; color: #7bf07b; } .pt { background: #2e2a1a; color: #f0d07b; } - .es { background: #2e1a2e; color: #d07bf0; } .status { font-size: 11px; text-transform: uppercase; letter-spacing: 1px; margin-top: 8px; } .status.live { color: #1d9bf0; } .status.queued { color: #aaa; } @@ -33,9 +32,7 @@ .hashtags { color: #1d9bf0; } .city-img { width: 100%; } .city-img img { width: 100%; border-radius: 8px; display: block; aspect-ratio: 16/9; object-fit: cover; } - @media (max-width: 800px) { - .post { grid-template-columns: 1fr; } - } + @media (max-width: 800px) { .post { grid-template-columns: 1fr; } } @@ -70,7 +67,7 @@ Free till May 1st.
⏳ Scheduled
Your password manager can read your passwords. The company running it just chooses not to. -vault1984 is a password manager built so the operator cannot read your vault — and your AI agents can use it without anyone else seeing what's inside. +vault1984 is a password manager built so the operator cannot — not won't — read your vault. Your AI agents use it from Southeast Asia at local latency. Nobody else sees inside. Now live in Singapore 🇸🇬 — free till May 1st. #Singapore #cybersecurity
Singapore
@@ -97,9 +94,9 @@ vault1984 是一款密码管理器 — 你的 AI 助手可以使用它,而运 EN
⏳ Scheduled
-
LastPass: breached. Your current password manager: can read your vault. -vault1984 just landed in Zürich 🇨🇭 — a password manager your AI agents can use, that the operator cannot read. -Swiss law. No CLOUD Act. Free till May 1st. +
LastPass got breached. Your current password manager can read your vault. +vault1984 just landed in Zürich 🇨🇭 — your vault in Europe, your AI agents the only ones with the key. Steal the database. You get ciphertext. +Free till May 1st. #Switzerland #privacy
Zürich
@@ -111,9 +108,9 @@ Swiss law. No CLOUD Act. Free till May 1st. DE
⏳ Scheduled
-
LastPass: gehackt. Dein aktueller Passwort-Manager: kann deinen Tresor lesen. -vault1984 ist jetzt in Zürich 🇨🇭 — ein Passwort-Manager für deine KI-Agenten, den der Betreiber nicht lesen kann. -Schweizer Recht. Kein CLOUD Act. Kostenlos bis 1. Mai. +
LastPass wurde gehackt. Dein Passwort-Manager kann deinen Tresor lesen. +vault1984 ist jetzt in Zürich 🇨🇭 — deine KI-Agenten haben Zugriff. Niemand sonst. Die Datenbank klauen? Du bekommst Rauschen. +Kostenlos bis 1. Mai. #Schweiz #Datenschutz
Zürich
@@ -123,7 +120,7 @@ Schweizer Recht. Kein CLOUD Act. Kostenlos bis 1. Mai.
-
São Paulo — Date TBD (settling period)
+
São Paulo — Date TBD
@@ -132,10 +129,11 @@ Schweizer Recht. Kein CLOUD Act. Kostenlos bis 1. Mai. EN
— Pending
-
Brazil has 215 million people and a data privacy law with teeth. -vault1984 just landed in São Paulo 🇧🇷 — your passwords encrypted locally, your vault in-country, your AI agents the only ones with the key. +
Your password manager's server is probably in Virginia. Your vault is readable by whoever runs it. +vault1984 just landed in São Paulo 🇧🇷 — your data on your continent, your AI agents the only ones with the key. +Steal the database. You get noise. Free till May 1st. -#Brazil #LGPD #privacy
+#Brazil #AIagents #privacy
São Paulo
@@ -145,10 +143,11 @@ Free till May 1st. PT
— Pending
-
O Brasil tem 215 milhões de pessoas e uma lei de privacidade com dentes. -vault1984 chegou em São Paulo 🇧🇷 — suas senhas criptografadas localmente, seu cofre no país, seus agentes de IA os únicos com a chave. +
O servidor do seu gerenciador de senhas provavelmente está na Virgínia. E o operador pode ler tudo. +vault1984 chegou em São Paulo 🇧🇷 — seus dados no seu continente, seus agentes de IA os únicos com a chave. +Roube o banco de dados. Você obtém ruído. Grátis até 1º de maio. -#Brazil #LGPD #privacidade
+#Brazil #AIagents #privacidade
São Paulo
@@ -162,39 +161,40 @@ Grátis até 1º de maio.
London 🇬🇧
EN
— Pending
-
Your bank is in London. Your law firm runs AI agents on client data. Your password manager's server is in Virginia. -vault1984 just landed in London 🇬🇧 — your vault in-jurisdiction, your agents the only ones with the key. -Free till May 1st. #UK #privacy #AIagents
+
Your bank is in London. Your law firm runs AI agents on client data. Your password manager's server is in Virginia — and whoever runs it can read every credential. +vault1984 just landed in London 🇬🇧 — your agents get access. Nobody else does. Ever. +Free till May 1st. #UK #AIagents #cybersecurity
London
Stockholm 🇸🇪
EN
— Pending
-
Sweden gave the world GDPR's spirit. Now vault1984 gives Sweden a vault the operator cannot read. -Live in Stockholm 🇸🇪 — free till May 1st. #Sweden #GDPR #privacy
+
Most password managers are built on a promise: "we won't look." +vault1984 is built so we can't. Your vault in Stockholm 🇸🇪 — encrypted so the operator sees only ciphertext. Your AI agents are the only key. +Free till May 1st. #Sweden #AIagents #privacy
Stockholm
Dubai 🇦🇪
EN
— Pending
-
The Middle East is spending billions on AI. Your AI agents need credentials. Those credentials need a vault the operator cannot read. -vault1984 is live in Dubai 🇦🇪 — built for the age of agents. -Free till May 1st. #UAE #Dubai #AIagents
+
The Middle East is spending billions on AI. Your agents need credentials. Those credentials live on a server somebody else can read. +vault1984 is live in Dubai 🇦🇪 — the vault your agents use that the operator cannot open. Architecture, not policy. +Free till May 1st. #UAE #AIagents #cybersecurity
Dubai
Lagos 🇳🇬
EN
— Pending
-
Africa's AI moment is here. Your agents shouldn't be handing credentials to a server in Virginia. -vault1984 is live in Lagos 🇳🇬 — your vault on your continent, readable only by you and your AI. -Free till May 1st. #Nigeria #Africa #AIagents
+
Africa's AI moment is here. Your agents are running. Your credentials are on a server somebody else controls. +vault1984 is live in Lagos 🇳🇬 — your vault on your continent, low latency for African agents. Steal it. You get ciphertext. +Free till May 1st. #Nigeria #AIagents #cybersecurity
Lagos
Tokyo 🇯🇵
EN
— Pending
Japan's enterprise AI adoption is accelerating. Every agent workflow that touches credentials needs a vault the operator cannot read. -vault1984 just landed in Tokyo 🇯🇵 — your agents get access. Nobody else does. +vault1984 just landed in Tokyo 🇯🇵 — low latency for your agents, zero access for the operator. Not us, not anyone. Free till May 1st. #Japan #AIagents #cybersecurity
Tokyo
@@ -202,115 +202,118 @@ Free till May 1st. #Japan #AIagents #cybersecurity
Mumbai 🇮🇳
EN
— Pending
India has the largest developer community in the world. They're building AI agents. Those agents need credentials. Those credentials need a vault nobody else can read. -vault1984 is live in Mumbai 🇮🇳 — free till May 1st. -#India #AIagents #cybersecurity
+vault1984 is live in Mumbai 🇮🇳 — low latency for your agents in South Asia, operator-blind. Always. +Free till May 1st. #India #AIagents #cybersecurity
Mumbai
Seoul 🇰🇷
EN
— Pending
-
Samsung, LG, Kakao — Korea's enterprises are deploying AI agents at scale. Every one of them needs credentials. vault1984 is the vault those agents can use and the operator cannot read. -Live in Seoul 🇰🇷 — free till May 1st. #Korea #AIagents #cybersecurity
+
Samsung, LG, Kakao — Korea's enterprises are deploying AI agents at scale. Every one needs credentials. Every one needs a vault the operator cannot read. +vault1984 is live in Seoul 🇰🇷 — local latency for your agents, operator-blind by architecture. +Free till May 1st. #Korea #AIagents #cybersecurity
Seoul
Sydney 🇦🇺
EN
— Pending
-
Australia's AI adoption is outpacing its security infrastructure. Your agents are already running. Is your vault operator-blind? -vault1984 is live in Sydney 🇦🇺 — local, encrypted, agent-ready. -Free till May 1st. #Australia #AIagents #privacy
+
Your AI agents are already running. Is your vault operator-blind? +vault1984 is live in Sydney 🇦🇺 — local latency, encrypted vault, agent-ready. The operator sees ciphertext. That's it. +Free till May 1st. #Australia #AIagents #cybersecurity
Sydney
Istanbul 🇹🇷
EN
— Pending
-
Turkey sits between Europe and Asia. Its AI startup scene is growing fast. Your agents need credentials. Those credentials need a vault the platform cannot read. -vault1984 is live in Istanbul 🇹🇷 — encrypted, local, agent-ready. +
Turkey's AI startup scene is moving fast. Your agents need credentials that live somewhere the platform can't read. +vault1984 is live in Istanbul 🇹🇷 — encrypted so the operator sees nothing. Your agents are the only key. Free till May 1st. #Turkey #AIagents #cybersecurity
Istanbul
Nairobi 🇰🇪
EN
— Pending
-
Nairobi is East Africa's tech capital. Its builders are skipping the old stack entirely — straight to AI agents. -vault1984 is live in Nairobi 🇰🇪 — the credential vault your agents use, that nobody else can read. -Free till May 1st. #Kenya #Africa #AIagents
+
Nairobi's builders are skipping the old stack — straight to AI agents. Those agents need credentials that the platform hosting them cannot read. +vault1984 is live in Nairobi 🇰🇪 — your vault close to where your agents run. Operator-blind. +Free till May 1st. #Kenya #AIagents #cybersecurity
Nairobi
Cape Town 🇿🇦
EN
— Pending
-
South Africa has some of Africa's strictest data laws. vault1984 just made compliance easier. -Live in Cape Town 🇿🇦 — your vault, your jurisdiction, your AI. -Free till May 1st. #SouthAfrica #POPIA #privacy
+
It doesn't matter where your vault lives if the operator can read it. vault1984 just landed in Cape Town 🇿🇦 — your data in-region, encrypted so we see only ciphertext. Subpoena us. We hand over noise. +Free till May 1st. #SouthAfrica #AIagents #privacy
Cape Town
Madrid 🇪🇸
EN
— Pending
-
GDPR wasn't enough. You still trust your password manager to not look inside. -vault1984 just landed in Madrid 🇪🇸 — architecturally operator-blind. -Free till May 1st. #Spain #GDPR #privacy
+
GDPR says companies must protect your data. It doesn't say they can't read it. +vault1984 just landed in Madrid 🇪🇸 — built so the operator architecturally cannot. Your agents use it. Nobody else sees inside. +Free till May 1st. #Spain #AIagents #privacy
Madrid
Montréal 🇨🇦
EN
— Pending
-
Canada's Law 25 is North America's strictest privacy law. vault1984 just made it irrelevant — we can't read your data anyway. -Live in Montréal 🇨🇦 — free till May 1st. #Canada #privacy #cybersecurity
+
Privacy laws tell companies how to handle your data. They don't stop companies from reading it. +vault1984 just landed in Montréal 🇨🇦 — the vault that's operator-blind by design. Your agents get in. We don't. +Free till May 1st. #Canada #AIagents #privacy
Montréal
Mexico City 🇲🇽
EN
— Pending
-
Latin America's largest city. Your data doesn't need to leave it. -vault1984 is live in Mexico City 🇲🇽 — operator-blind password management, finally in your timezone. -Free till May 1st. #Mexico #privacy #cybersecurity
+
Latin America's largest city. Its developers are building AI agents at speed. Those agents hand credentials to servers somebody else controls. +vault1984 is live in Mexico City 🇲🇽 — operator-blind, agent-ready. +Free till May 1st. #Mexico #AIagents #cybersecurity
Mexico City
Bogotá 🇨🇴
EN
— Pending
-
Colombia's Habeas Data law protects your personal data. vault1984 takes it further — we can't read it regardless. -Live in Bogotá 🇨🇴 — free till May 1st. #Colombia #privacy
+
Your credentials live on a server. That server has an operator. That operator can read your vault. +vault1984 is live in Bogotá 🇨🇴 — built so the operator cannot. Steal the database. You get ciphertext. +Free till May 1st. #Colombia #AIagents #privacy
Bogotá
Santiago 🇨🇱
EN
— Pending
-
Chile just passed South America's most comprehensive privacy law. vault1984 already meets it — architecturally. -Live in Santiago 🇨🇱 — free till May 1st. #Chile #privacy #cybersecurity
+
Every password manager promises to protect your data. vault1984 is built so we can't betray that promise even if we wanted to. +Live in Santiago 🇨🇱 — your agents hold the key. We hold ciphertext. +Free till May 1st. #Chile #AIagents #privacy
Santiago
Hong Kong 🇭🇰
EN
— Pending
-
When the rules change, your vault shouldn't be readable by anyone. -vault1984 is live in Hong Kong 🇭🇰 — encrypted so the operator sees only ciphertext. -Free till May 1st. #HongKong #privacy #cybersecurity
+
When the rules change overnight, your vault shouldn't be readable by whoever runs the server. +vault1984 is live in Hong Kong 🇭🇰 — encrypted so the operator sees only ciphertext. Always. Regardless of what anyone asks. +Free till May 1st. #HongKong #AIagents #privacy
Hong Kong
San Francisco 🇺🇸
EN
— Pending
-
You're in SF. You're building agents. You're handing them credentials stored on someone else's server. -vault1984 is the vault your agents use that the operator cannot read — now live in San Francisco 🇺🇸 +
You're building agents. You're handing them credentials stored on someone else's server — which that someone can read. +vault1984 is live in San Francisco 🇺🇸 — the vault your agents use at West Coast latency, that the operator cannot open. Free till May 1st. #SF #AIagents #buildinpublic
San Francisco
Buenos Aires 🇦🇷
EN
— Pending
-
Argentina's PDPA was ahead of its time. vault1984 is further ahead — the operator cannot be compelled to hand over what it cannot read. -Live in Buenos Aires 🇦🇷 — free till May 1st. #Argentina #privacy #cybersecurity
+
Every password manager has one structural problem: the operator can read your vault. Laws don't fix that. Architecture does. +vault1984 is live in Buenos Aires 🇦🇷 — operator-blind by design. Your agents hold the key. We hold noise. +Free till May 1st. #Argentina #AIagents #privacy
Buenos Aires
Auckland 🇳🇿
EN
— Pending
-
New Zealand is part of the Five Eyes surveillance alliance. -vault1984 just landed in Auckland 🇳🇿 anyway — because we can't read your vault regardless of who asks. -Free till May 1st. #NewZealand #FiveEyes #privacy
+
Five Eyes, three eyes, one eye — doesn't matter. vault1984 just landed in Auckland 🇳🇿. Subpoena us. We hand over ciphertext. That's not a legal position. It's architecture. +Free till May 1st. #NewZealand #AIagents #privacy
Auckland
diff --git a/marketing/vault1984-vision.md b/marketing/vault1984-vision.md new file mode 100644 index 0000000..3f06d18 --- /dev/null +++ b/marketing/vault1984-vision.md @@ -0,0 +1,69 @@ +# vault1984 — Vision Statement + +*"If you want to keep a secret, you must also hide it from yourself."* +— George Orwell + +We built a password manager that takes that literally. + +--- + +## What we built + +A password manager where the operator cannot read your vault. Not policy. Not a promise. Architecture. The server holds your data and nothing else. Steal the database. You get ciphertext. + +Your AI agents authenticate against it, retrieve credentials, and operate autonomously. Nobody else sees inside. Not us, not anyone with a subpoena, not a breach. + +We open-sourced it. You don't have to trust us — you can read the proof. + +--- + +## The demoralizing lead + +vault1984 is built to lead in ways that are irrational to chase. + +**Global infrastructure no competitor has built** +22 regions. Every continent. Local providers in markets the major clouds don't reach — Lagos, Nairobi, and beyond. Low latency wherever your agents run. No competitor is close. Every month, the gap widens. + +**Architecture the incumbents cannot copy** +1Password, Bitwarden, Dashlane — they can read your vault. They choose not to. To give you what vault1984 gives you, they'd have to deprecate every existing vault, migrate every user, and rebuild from scratch. That's not a roadmap item. That's a company-ending decision. They are structurally, permanently trapped. + +**The lowest price in the world** +$12/year, hosted. Free to self-host. 1Password charges three times that — and reads your vault. Our price is not a promotion. It's a structural weapon: defensible at scale, irrational to match at zero. + +**Agent-native from day one** +Every other password manager was built for humans clicking into browsers. vault1984 was built for agents — API-first, MCP-native, designed for autonomous workflows. Everyone else is retrofitting. We shipped the category. + +**Open source, Elastic-licensed** +The code is public. Security researchers audit it. Developers integrate it. The community compounds. And the Elastic license means competitors can read every line — but cannot commercially repackage what we built. They can study the map. They cannot copy the territory. + +--- + +## Two types of competition. Neither can win. + +**Incumbents** are architecturally trapped. Fixing their fundamental problem destroys their existing product. They know it. We know it. Their users will eventually know it. + +**Copycats** face five simultaneous problems with no shortcuts: +- Infrastructure that took years to build across 22 regions with local providers +- Trust that only time-in-market and independent audits produce +- A price floor that requires scale they don't have +- An agent ecosystem and integration surface that compounds daily +- A license that prohibits commercializing our code + +The expected value of competing with vault1984 is negative. That is not an accident. + +--- + +## Who this is for + +Anyone who got a LastPass breach email. +Any developer building AI agents that touch credentials. +Any enterprise running autonomous workflows and asking "who else can see this?" +Any individual who understood what "the company can read your vault" actually means. + +The answer to all of them is the same: + +**vault1984. The operator cannot read it. Anywhere in the world. At the lowest price. Verifiably.** + +--- + +*vault1984 · vault1984.com · @vault1984*