docs: GitHub 2FA listing strategy — prerequisites, outreach template, phases (C-010)
This commit is contained in:
James
parent
ec4a68e67b
commit
024f898873
|
|
@ -0,0 +1,117 @@
|
|||
# GitHub 2FA Listing — Strategy & Outreach
|
||||
|
||||
*Task: C-010 | Goal: Get Clavitor listed on GitHub's 2FA setup screen alongside 1Password, Authy, Keeper*
|
||||
|
||||
---
|
||||
|
||||
## Where the Listing Lives
|
||||
|
||||
GitHub's 2FA setup flow (Settings → Password and authentication → Two-factor authentication) recommends specific TOTP password managers in the UI copy. This is **not** in the public github/docs repo — it's hardcoded in GitHub's frontend/settings codebase.
|
||||
|
||||
Known mentions in GitHub docs and community:
|
||||
- `docs.github.com` recommends: **KeePassXC** (desktop), **1Password** (browser extension)
|
||||
- GitHub UI mentions: **1Password, Authy, Microsoft Authenticator** (recovery codes screen)
|
||||
- Recovery codes step 2 of 3 specifically lists: **1Password, Authy, Keeper** (per task description)
|
||||
|
||||
This is a **partnerships/security team ask**, not an open PR to github/docs.
|
||||
|
||||
---
|
||||
|
||||
## Prerequisites (Blockers — must clear first)
|
||||
|
||||
Clavitor cannot credibly request this listing until:
|
||||
|
||||
- [ ] **Public GitHub repo** — GitHub won't list a product without verifiable open-source presence. `github.com/johanj/clavitor` must be live with README, releases, stars.
|
||||
- [ ] **Browser extension** — 1Password, Authy, Keeper are all listed because they have browser extensions for autofill + TOTP. Without a Chrome extension in the Web Store, the listing ask is premature.
|
||||
- [ ] **Published TOTP documentation** — GitHub needs to see documented TOTP support. A dedicated docs page at `clavitor.ai/docs/totp` or similar.
|
||||
- [ ] **Security audit / disclosure policy** — GitHub will want to see `/.well-known/security.txt` (already done ✅) plus ideally a published security contact and responsible disclosure policy.
|
||||
- [ ] **Meaningful user base / traction** — GitHub only lists established tools. Get the Show HN post, Product Hunt launch, and some GitHub stars first (target: 500+ stars).
|
||||
|
||||
---
|
||||
|
||||
## Outreach Path
|
||||
|
||||
### Option A: GitHub Security Partnership Team (preferred)
|
||||
|
||||
GitHub has a security partnerships program. The ask goes to their security team, not docs team.
|
||||
|
||||
**Contact:** `security@github.com` or `partnerships@github.com`
|
||||
|
||||
**Template email** (send after prerequisites cleared):
|
||||
|
||||
```
|
||||
Subject: Partnership inquiry — Clavitor TOTP/password manager listing
|
||||
|
||||
Hi GitHub Security team,
|
||||
|
||||
I'm Johan Jongsma, the founder of Clavitor (clavitor.ai),
|
||||
an open-source AI-native password manager with native TOTP support.
|
||||
|
||||
We've been seeing strong adoption from developers who use Claude Code,
|
||||
Codex, and similar AI coding assistants — users who need their agents
|
||||
to complete 2FA flows autonomously. Clavitor is currently the only
|
||||
password manager that exposes TOTP codes to AI agents via MCP while
|
||||
keeping identity fields (credit cards, passports) client-side only
|
||||
via WebAuthn PRF.
|
||||
|
||||
We'd love to be considered for the recommended password manager list
|
||||
on GitHub's 2FA setup screen alongside 1Password, Authy, and Keeper.
|
||||
|
||||
Clavitor:
|
||||
- Supports TOTP with `get_totp("GitHub")` via MCP (AI agents)
|
||||
- MIT licensed, source at github.com/johanj/clavitor
|
||||
- Chrome extension available in Web Store
|
||||
- Self-hostable (one binary) or hosted at clavitor.ai
|
||||
- WebAuthn PRF for identity fields (client-side only)
|
||||
- Security: security@clavitor.ai, /.well-known/security.txt
|
||||
|
||||
We're happy to provide any additional information, documentation,
|
||||
or undergo a security review.
|
||||
|
||||
Best,
|
||||
Johan Jongsma
|
||||
founder@clavitor.ai
|
||||
```
|
||||
|
||||
### Option B: github/docs Pull Request
|
||||
|
||||
Some GitHub recommendations ARE in the docs repo. Check:
|
||||
`github.com/github/docs/blob/main/content/authentication/securing-your-account-with-two-factor-authentication-2fa/`
|
||||
|
||||
If the specific "Password managers like 1Password, Authy, Keeper" text is in a docs file:
|
||||
1. Fork github/docs
|
||||
2. Add Clavitor to the list
|
||||
3. Submit PR with reasoning
|
||||
|
||||
**Likelihood of acceptance:** Low without established brand. GitHub will likely request evidence of adoption and security review before merging.
|
||||
|
||||
### Option C: GitHub Community Discussion
|
||||
|
||||
Post in `github.com/orgs/community/discussions` — "Suggestion: Add Clavitor to recommended 2FA tools." This signals community interest and gets seen by the GitHub team who monitors that forum.
|
||||
|
||||
---
|
||||
|
||||
## Success Criteria by Phase
|
||||
|
||||
| Phase | Milestone | Then |
|
||||
|-------|-----------|------|
|
||||
| 1 | Public repo live, 100+ stars | Submit github/docs PR |
|
||||
| 2 | 500+ stars, browser extension in Chrome Store | Email security@github.com |
|
||||
| 3 | Security audit complete | Follow up on PR + email |
|
||||
| 4 | 1000+ stars, Show HN traction | GitHub team takes notice organically |
|
||||
|
||||
---
|
||||
|
||||
## Current Status
|
||||
|
||||
🔴 **Not ready to submit** — missing: public repo, browser extension, meaningful traction.
|
||||
|
||||
**Next action:** Complete Phase 1 (public GitHub repo launch, Show HN post, Product Hunt). Return to this task after 500 stars.
|
||||
|
||||
---
|
||||
|
||||
## Files to Create Before Outreach
|
||||
|
||||
- `clavitor.ai/docs/totp` — dedicated TOTP documentation page
|
||||
- `clavitor.ai/security` — security policy page (or redirect to /.well-known/security.txt)
|
||||
- `github.com/johanj/clavitor` — public repo with README and releases
|
||||
Loading…
Reference in New Issue