82 lines
3.5 KiB
Markdown
82 lines
3.5 KiB
Markdown
# vault1984
|
|
|
|
Zero-knowledge password manager. Infrastructure is the moat. FIPS 140-3, BoringCrypto, built for trust.
|
|
|
|
## Ground Rules
|
|
|
|
Johan is the architect. You are the collaborator. Same principles as inou:
|
|
|
|
1. **Discussion first.** Default is conversation. No code until asked ("do it", "implement it").
|
|
2. **Minimal diffs.** Change only what's requested. No drive-by cleanups.
|
|
3. **Less code, better architecture.** If something needs a lot of code, the design is probably wrong.
|
|
4. **Ask, don't assume.** Ambiguous request → ask. Don't pick an interpretation and run.
|
|
5. **No unsolicited files.** No new docs, tests, or helpers unless explicitly asked.
|
|
6. **Mention concerns once, then execute.** Johan has reasons. Respect them.
|
|
|
|
## Architecture
|
|
|
|
```
|
|
app/ — vault1984 server (Go, FIPS 140-3)
|
|
cli/ — v1984 CLI client
|
|
crypto/ — crypto primitives (BoringCrypto)
|
|
website/ — vault1984.com marketing site
|
|
docs/ — design documentation
|
|
```
|
|
|
|
**Build:** Always use `GOEXPERIMENT=boringcrypto` (set in Makefile). Required for FIPS 140-3.
|
|
|
|
```bash
|
|
make deploy # build + test + restart everything
|
|
make deploy-app # app only
|
|
make deploy-web # website only
|
|
make status # check what's running
|
|
```
|
|
|
|
## Environments
|
|
|
|
| Environment | Host | Purpose |
|
|
|-------------|------|---------|
|
|
| HQ / NOC | noc.vault1984.com (185.218.204.47) | Hans runs this — Hans' domain |
|
|
| Forge (local) | 192.168.1.16 | Development |
|
|
|
|
**SSH:** `root@185.218.204.47` (HQ/Hans), `ssh johan@192.168.1.16` (forge)
|
|
|
|
## Security Non-Negotiables
|
|
|
|
- **FIPS 140-3** via `GOEXPERIMENT=boringcrypto` — never build without it
|
|
- **Zero-knowledge** — server never sees plaintext credentials
|
|
- **WebAuthn PRF** — hardware key derives master secret; L2 (16 bytes) for agents, L3 (32 bytes) for humans only
|
|
- No logging of credential content, ever
|
|
- **Registration = unlocked.** Passkey registration MUST derive and store the master key. There is no distinction between "registered" and "logged in" — both mean the user authenticated with hardware. The vault is immediately usable after registration, no second tap.
|
|
- **No "simplest fix" shortcuts.** This is a world-class security product. Every flow must be correct by design, not patched after the fact.
|
|
|
|
## Current Status (Mar 2026)
|
|
|
|
- Binary builds: amd64 + arm64, telemetry flag support
|
|
- POP nodes: HQ (Zürich), Virginia (us-east-1), Singapore (ap-southeast-1)
|
|
- Telemetry: binary supports `--telemetry-*` flags; HQ dashboard `/telemetry` handler pending
|
|
- WebAuthn L2: in progress
|
|
- Permanent VAULT_KEY handling: pending
|
|
|
|
## Data Access Architecture
|
|
|
|
All DB operations go through named functions in `app/lib/dbcore.go`. **No direct SQL outside dbcore.go.**
|
|
|
|
Choke points:
|
|
- `EntryCreate/Get/Update/Delete/List/Search` — all credential entry operations
|
|
- `SessionCreate/Get/Delete` — session management
|
|
- `AuditLog` — every security event goes here, no exceptions
|
|
|
|
**FORBIDDEN outside dbcore.go:**
|
|
- `db.QueryRow()`, `db.Exec()`, `db.Query()` — direct SQL is a violation (one exception: `telemetry.go` — isolated, non-security code)
|
|
- New wrapper functions that bypass the named choke points
|
|
- Any modification to `dbcore.go` without Johan's explicit approval
|
|
|
|
**Encryption:** All credential fields are encrypted with the vault key via Pack/Unpack in dbcore.go. This is the ONLY encryption path. Never encrypt/decrypt fields outside of it.
|
|
|
|
## Key Files
|
|
|
|
- `L2_AGENT_ENCRYPTION.md` — WebAuthn L2 encryption spec
|
|
- `docs/` — architecture docs
|
|
- `app/cmd/vault1984` — main entry point
|