Reorganize repo: oss/ + commercial/ + shared docs/

- oss/ — open source (app, cli, crypto, Makefile) → published to GitHub
- commercial/ — proprietary (account, mgmt sidecar, website, marketing, tailscale) → Zürich only
- docs/ — shared design documentation, visible to both
- Move L2_AGENT_ENCRYPTION.md to docs/
- Update CLAUDE.md paths to reflect new structure

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitignore

@@ -6,5 +6,5 @@ vault1984
 *.env
 *.key
 *.pem
-app/backups/
+oss/app/backups/
-website/vault1984-web
+commercial/website/vault1984-web

CLAUDE.md

@@ -13,19 +13,27 @@ Johan is the architect. You are the collaborator. Same principles as inou:
 5. **No unsolicited files.** No new docs, tests, or helpers unless explicitly asked.
 6. **Mention concerns once, then execute.** Johan has reasons. Respect them.
 
-## Architecture
+## Repository Structure
 
 ```
-app/        — vault1984 server (Go, FIPS 140-3)
+docs/              — all design documentation (shared across OSS + commercial)
-cli/        — v1984 CLI client
+oss/               — open source, published to GitHub
-crypto/     — crypto primitives (BoringCrypto)
+  app/             — vault1984 server (Go, FIPS 140-3)
-website/    — vault1984.com marketing site
+  cli/             — v1984 CLI client
-docs/       — design documentation
+  crypto/          — crypto primitives (BoringCrypto)
+  Makefile         — build system
+commercial/        — proprietary, Zürich only, never on GitHub
+  account/         — account system (billing, vault credits)
+  mgmt/            — POP management sidecar
+  website/         — vault1984.com (marketing + account management)
+  marketing/       — marketing assets
+  tailscale/       — ACL config
 ```
 
 **Build:** Always use `GOEXPERIMENT=boringcrypto` (set in Makefile). Required for FIPS 140-3.
 
 ```bash
+cd oss/
 make deploy       # build + test + restart everything
 make deploy-app   # app only
 make deploy-web   # website only
@@ -60,7 +68,7 @@ make status       # check what's running
 
 ## Data Access Architecture
 
-All DB operations go through named functions in `app/lib/dbcore.go`. **No direct SQL outside dbcore.go.**
+All DB operations go through named functions in `oss/app/lib/dbcore.go`. **No direct SQL outside dbcore.go.**
 
 Choke points:
 - `EntryCreate/Get/Update/Delete/List/Search` — all credential entry operations
@@ -94,15 +102,15 @@ Choke points:
 - `isUnlocked()` checks sessionStorage — if false, user is logged out
 
 **Shared JS (crypto/ directory):**
-- `crypto/crypto.js` and `crypto/totp.js` are the source of truth
+- `oss/crypto/crypto.js` and `oss/crypto/totp.js` are the source of truth
-- Makefile copies them to `app/cmd/vault1984/web/` before building
+- Makefile copies them to `oss/app/cmd/vault1984/web/` before building
-- NEVER edit the copies in `web/` directly — edit `crypto/` and rebuild
+- NEVER edit the copies in `web/` directly — edit `oss/crypto/` and rebuild
 - CLI (QuickJS) and browser (Web Crypto) use the same code
 
 ## Key Files
 
-- `L2_AGENT_ENCRYPTION.md` — WebAuthn L2 encryption spec (SUPERSEDED by truncation model)
+- `docs/L2_AGENT_ENCRYPTION.md` — WebAuthn L2 encryption spec (SUPERSEDED by truncation model)
 - `docs/` — architecture docs
-- `app/cmd/vault1984` — main entry point
+- `oss/app/cmd/vault1984` — main entry point
-- `crypto/` — shared JS crypto (source of truth for CLI + browser)
+- `oss/crypto/` — shared JS crypto (source of truth for CLI + browser)
-- `cli/` — vault1984-cli (C + QuickJS + BearSSL)
+- `oss/cli/` — vault1984-cli (C + QuickJS + BearSSL)