Blog
Dated notes from the Violet build, written plainly as the work happens. Posts appear only when something real changed, so the log may be quiet.
-
Build log 001: what is actually built
2026-07-04 · 4 minute read
This is the first Violet build log: a dated inventory of what exists in the repository today and what does not. The companion client, the tested cloud spine, the relationship layer, and this knowledge library are built. The fleet shells are scaffolds with no binaries, checkout is an honest 501 stub, nothing is deployed to production, and there are no users. Every line is checkable against the code.
-
How Violet's encryption works, line by line
2026-07-04 · 8 minute read
Most encryption claims are marketing sentences. This post is the code instead: a line-by-line walk through the file that seals Violet's synced data, from passphrase to PBKDF2-SHA256 at 200,000 iterations to a non-extractable AES-256-GCM key to the two-field envelope the server stores. It ends with what a database thief actually gets and the honest limits of the design.
-
Why Violet shows you nothing instead of something
2026-07-04 · 6 minute read
Violet renders an honest nothing instead of a fabricated something. This post walks through three real empty states in the codebase, from the trust panel to the managed inference endpoint, explains why placeholder data erodes trust in AI products, and shows how real-or-nothing rails are enforced in review and tests.
-
What password stretching standards recommend, and what we ship
2026-07-04 · 7 minute read
OWASP recommends Argon2id first for password storage and reserves a 600,000 iteration figure for PBKDF2. Violet ships PBKDF2-SHA256 at 200,000 iterations in the browser, because the Web Cryptography API offers no memory-hard alternative and the client ships without dependencies. This post sets the current standards next to the exact shipped parameters, walks the threat math in plain words, and names the conditions under which the parameters change.
-
How strong does your passphrase actually need to be
2026-07-04 · 6 minute read
Passphrase strength is measured in bits of entropy, which count how many guesses an attacker would need in the worst case. Length adds bits fast; symbol substitutions barely help, and the math only applies when the passphrase is chosen randomly. In an end-to-end encrypted system the passphrase is the only wall, so use a randomly generated passphrase of five or more words and accept that losing it means losing the data.