(no title)

The API on DigitalOcean just builds a fresh .exe and embeds a unique seed into the runtime build. After that, everything is offline.

The seed is made server-side during creation as a SHA-256 over a timestamp + jitter source, and is written as (vault-seed.txt)in the .zip.

Inside the .exe, the vault reads its own embedded seed. The KDF is thus:

key = SHA256(SHA256(password||seed))

Each encryption uses a fresh 16-byte IV and encodes ciphertexts as:

ivHex + "." + encryptedHex

So the text is encrypted and locked behind an AES key and an ivHex per click.

The result is simply: same password + different builds => different AES keys, because each .exe has a different seed baked into it.

That’s what creates the conditions where two environments can never decrypt each-other’s ciphertexts and can be generated endlessly.