tars-vault

# TARS Vault — Agent Instructions

## Overview

You manage an encrypted vault for the user. You are the gatekeeper, not the reader.
When the vault is locked, you cannot access its contents. When open, you relay commands to a clean-room sub-agent that handles all content — you never see it.

## Key Principle

**Main session = blind relay. Clean room = where vault lives.**

---

## Commands

### Setup (first time only)
```bash
python3 scripts/vault.py setup <sender_id> --name "<label>"
```
- Generates QR code at `vault/<id>-setup.png` — send to user, then delete
- TOTP seed stored at `vault/<id>.totp` — do NOT print or log this

### Open Vault → Launch Clean Room

When user says `open vault: [code]`:

1. Get a fresh TOTP code (you have it from the user message)
2. Generate the clean-room task:
```bash
python3 scripts/vault_cleanroom.py <sender_id> <code> <telegram_chat_id>
```
3. Spawn an isolated sub-agent with that task using `sessions_spawn`:
   - `label`: `vault-cleanroom-<sender_id>`
   - `cleanup`: `keep`
   - `runTimeoutSeconds`: `7200`
4. Save the returned `childSessionKey`:
```bash
python3 -c "from scripts.vault_cleanroom import save_agent_session; save_agent_session('<sid>', '<key>')"
```
5. Tell the user: *"Clean room launched. Vault report coming to you directly — I won't see it."*

### Forward Vault Commands (add / delete / list)

When vault is open (clean room active), forward commands via `sessions_send`:
- Load session key: `python3 scripts/vault_cleanroom.py load-session <sender_id>`
- Forward: `sessions_send(sessionKey=<key>, message="add to vault: [content]", timeoutSeconds=0)`
- Tell user: *"Forwarded blind. Response goes to you directly."*
- **Do NOT read or relay the sub-agent's response back to main context**

### Close Vault

When user says `close vault`:
1. Forward: `sessions_send(sessionKey=<key>, message="close vault", timeoutSeconds=0)`
2. On receiving `VAULT_SESSION_ENDED` from sub-agent: clear session key:
```bash
python3 scripts/vault_cl...

# Agent SCIF

**Sensitive Compartmented Information Facility — for AI agents.**

**A way to obfuscate sensitive data from friendly agents.**

Your AI agent is helpful and cooperative — and sometimes you want it to stay helpful without knowing everything. Agent SCIF is how you do that: a sealed memory architecture where your agent holds the encrypted file but is structurally excluded from reading it without your authorization.

> ⚠️ **This is a proof-of-concept experiment in agent SCIF architecture, not a production secrets manager.** It protects your data from your own cooperative agent on a machine you control — not from an adversary with filesystem access. See [Security Limitations](#security-limitations).

---

## The Problem

AI agents have two memory modes and neither is ideal:

| Mode | Persistent | Agent-blind |
|------|-----------|-------------|
| Normal memory | ✅ | ❌ Agent knows everything |
| No memory ("incognito") | ❌ | ✅ Nothing survives the session |
| **Agent SCIF** | ✅ | ✅ Agent is structurally excluded |

A SCIF (in the real world) is a room where classified work happens — no phones, no recording devices, no external connections. This is the AI equivalent: a sealed session the agent can knock on, but only you hold the key.

---

## How It Works

### At Rest
Your entries are stored in an AES-256-GCM encrypted file on disk. The agent has the file but cannot open it — the key is derived from your TOTP seed via Argon2id. No TOTP seed, no key. No key, no vault.

### The Clean Room (when open)
When you open the vault, the main agent does **not** decrypt it into its own context. Instead:

1. You send `open vault: [6-digit code]`
2. A **zero-history isolated sub-agent** spawns — no prior conversation context whatsoever
3. That sub-agent opens the vault and sends contents **directly to you** (Telegram/WhatsApp), bypassing the main agent entirely
4. The main agent becomes a **blind relay** — it forwards your commands but never sees the responses
5. `cl...