I just wanna enjoy my family, my work, read books, and drink coffee. And the world is burning.

Ha! "hard mode" 4sure. Debugging decryption failures with zero server-side visibility is a special kind of pain.

Next - Phase 3 envelope key architecture for key rotation, public profiles and selective sharing. Security audit before anything goes beyond personal use.

Thanks for following along 🔐

Server never saw plaintext. Architecture held.

clareifi.xyz

#BuildInPublic #Privacy #E2EE

it makes debugging harder.

What shipped:
→ Supabase auth (email + password)
→ Salt stored server-side, key derived client-side
→ New device fetches salt, derives correct key, decrypts notes
→ Tested: Chrome, Brave, Vivaldi, Samsung Internet — all working

Clareifi Notes Phase 2 shipped 🔐

Multi-device sync. Zero-knowledge confirmed.

Honest build-in-public moment: this phase was brutal. Silent sync failures, session persistence bugs, stale keys silently breaking decryption across browsers. No server-side visibility to debug — that's the point, but...

Mark Jacob on how the press ignores the biggest Trump story "The president of the United States is clearly mentally unfit for office."

Mark Jacob on how the press ignores the biggest Trump story: “The president of the United States is clearly mentally unfit for office."

Ahh, it’s another beautiful CaturDogDay

Fair point — an envelope key now is cleaner than re-wrapping everything at rotation time. It's on the roadmap.

Phase 2 is shipping working sync. Phase 3 is where the key hierarchy gets more sophisticated. Building deliberately, not just fast.

@getmeos.com Hey @getmeos.com just noticed you're using my post as endorsement copy on your landing page without my permission. I haven't endorsed your product. Please remove it.

I build in public and welcome technical discussion. Using that as free marketing is a different thing entirely.

For now the constraint is known and documented, lost password means lost data, no recovery path by design.

Separate key hierarchy is the right long-term architecture. Curious how you'd approach it?

Deriving directly from the password via PBKDF2 (310k iterations, SHA-256) for Phase 1, no separate key hierarchy yet.

You're right that key rotation is the hard next problem. It's on the Phase 3 list.

Beautiful 🌎

The principle holds: Supabase is an untrusted store. It never sees plaintext. Encryption stays entirely client-side.

Still building in public. Phase 2 in progress.

clareifi.xyz

Clareifi Notes Phase 2 update 🔐

Shipped tonight:
→ Supabase auth (email + password)
→ Encrypted note sync to Supabase
→ vault_config and notes tables with Row Level Security
→ Zero-knowledge confirmed — only ciphertext hits the database

#BuildInPublic #Privacy #E2EE

That's home. That's us.

This image of home just came down from the Artemis II crew.

Taken after their translunar injection burn, there are aurorae at top right and lower left, and zodiacal light at lower right.

Credit: NASA/Reid Wiseman

Phase 2 is solving sync + auth via Supabase, but the model stays the same. Server only ever sees ciphertext. Search stays client-side, post-decrypt.

The tradeoff is a known constraint, not a gap. For a personal vault, in-memory search after local decryption is fast enough and leaks nothing. ✌️

Friday #therapy session about to begin...

#SelfCare 📵

The tradeoff is no server-side search at scale, but for a personal notes vault that's an acceptable constraint vs. the privacy cost of any server-visible index.

For Phase 2 sync I'm keeping the same model: query happens after local decryption, not against ciphertext server-side. No search index ever leaves the client.

Great question. Right now search is client-side only — the vault decrypts locally and filters in-memory, so nothing leaks to the server. It's a deliberate Phase 1 constraint.

Clareifi Notes update 🔐

Encrypted note titles are live at clareifi.xyz

Titles use the same AES-GCM 256-bit encryption as note content — zero-knowledge, client-side only. The server never sees plaintext.

Building in public. Phase 1 nearly wrapped.

#BuildInPublic #Privacy #E2EE

Maybe a good way to try and protect your privacy ¿

Sometimes, I feel like I'm a cartoon

There are quite a few things that I want to say, and do, before this is all over.

Respect where you are while moving toward where you want to be.

Why does this day feel soooo long?!

Two cats in a window with sunflowers 🌻

My babies lookin pretty. 🐈‍⬛️🐈

The edge of a forest, a sloping hill with a wooden fence, tall pines, a blue sky.

Tall pines and a blue sky.

We went outside this past weekend...

Building the Secure Bunker Two weeks ago, I shared the blueprint for the Clareifi Dev Stack. Today, the foundation isn't just poured—the first room is officially built, locked, and verified. Clareifi Notes started with a simple...

Built with Svelte 5 + Tailwind CSS 4 in the open on GitHub.

Next challenge: Cross-device sync without breaking the E2EE promise. CRDTs + blind relay incoming.

Full writeup on the Clareifi Dev Stack: paragraph.com/@clareifi/bu...

#BuildInPublic #Privacy #E2EE

Month 1 milestone ✅

Phase 1 of Clareifi Notes is complete. The "Secure Bunker" is officially built and verified.

What works now:
- Password-derived encryption (310k PBKDF2 iterations)
- AES-GCM 256-bit encryption via Web Crypto API
- True zero-knowledge storage (even I can't read your notes)