diff --git a/docs/GITHUB-2FA-LISTING.md b/docs/GITHUB-2FA-LISTING.md new file mode 100644 index 0000000..6d3776a --- /dev/null +++ b/docs/GITHUB-2FA-LISTING.md @@ -0,0 +1,117 @@ +# GitHub 2FA Listing — Strategy & Outreach + +*Task: C-010 | Goal: Get Clavitor listed on GitHub's 2FA setup screen alongside 1Password, Authy, Keeper* + +--- + +## Where the Listing Lives + +GitHub's 2FA setup flow (Settings → Password and authentication → Two-factor authentication) recommends specific TOTP password managers in the UI copy. This is **not** in the public github/docs repo — it's hardcoded in GitHub's frontend/settings codebase. + +Known mentions in GitHub docs and community: +- `docs.github.com` recommends: **KeePassXC** (desktop), **1Password** (browser extension) +- GitHub UI mentions: **1Password, Authy, Microsoft Authenticator** (recovery codes screen) +- Recovery codes step 2 of 3 specifically lists: **1Password, Authy, Keeper** (per task description) + +This is a **partnerships/security team ask**, not an open PR to github/docs. + +--- + +## Prerequisites (Blockers — must clear first) + +Clavitor cannot credibly request this listing until: + +- [ ] **Public GitHub repo** — GitHub won't list a product without verifiable open-source presence. `github.com/johanj/clavitor` must be live with README, releases, stars. +- [ ] **Browser extension** — 1Password, Authy, Keeper are all listed because they have browser extensions for autofill + TOTP. Without a Chrome extension in the Web Store, the listing ask is premature. +- [ ] **Published TOTP documentation** — GitHub needs to see documented TOTP support. A dedicated docs page at `clavitor.ai/docs/totp` or similar. +- [ ] **Security audit / disclosure policy** — GitHub will want to see `/.well-known/security.txt` (already done ✅) plus ideally a published security contact and responsible disclosure policy. +- [ ] **Meaningful user base / traction** — GitHub only lists established tools. Get the Show HN post, Product Hunt launch, and some GitHub stars first (target: 500+ stars). + +--- + +## Outreach Path + +### Option A: GitHub Security Partnership Team (preferred) + +GitHub has a security partnerships program. The ask goes to their security team, not docs team. + +**Contact:** `security@github.com` or `partnerships@github.com` + +**Template email** (send after prerequisites cleared): + +``` +Subject: Partnership inquiry — Clavitor TOTP/password manager listing + +Hi GitHub Security team, + +I'm Johan Jongsma, the founder of Clavitor (clavitor.ai), +an open-source AI-native password manager with native TOTP support. + +We've been seeing strong adoption from developers who use Claude Code, +Codex, and similar AI coding assistants — users who need their agents +to complete 2FA flows autonomously. Clavitor is currently the only +password manager that exposes TOTP codes to AI agents via MCP while +keeping identity fields (credit cards, passports) client-side only +via WebAuthn PRF. + +We'd love to be considered for the recommended password manager list +on GitHub's 2FA setup screen alongside 1Password, Authy, and Keeper. + +Clavitor: +- Supports TOTP with `get_totp("GitHub")` via MCP (AI agents) +- MIT licensed, source at github.com/johanj/clavitor +- Chrome extension available in Web Store +- Self-hostable (one binary) or hosted at clavitor.ai +- WebAuthn PRF for identity fields (client-side only) +- Security: security@clavitor.ai, /.well-known/security.txt + +We're happy to provide any additional information, documentation, +or undergo a security review. + +Best, +Johan Jongsma +founder@clavitor.ai +``` + +### Option B: github/docs Pull Request + +Some GitHub recommendations ARE in the docs repo. Check: +`github.com/github/docs/blob/main/content/authentication/securing-your-account-with-two-factor-authentication-2fa/` + +If the specific "Password managers like 1Password, Authy, Keeper" text is in a docs file: +1. Fork github/docs +2. Add Clavitor to the list +3. Submit PR with reasoning + +**Likelihood of acceptance:** Low without established brand. GitHub will likely request evidence of adoption and security review before merging. + +### Option C: GitHub Community Discussion + +Post in `github.com/orgs/community/discussions` — "Suggestion: Add Clavitor to recommended 2FA tools." This signals community interest and gets seen by the GitHub team who monitors that forum. + +--- + +## Success Criteria by Phase + +| Phase | Milestone | Then | +|-------|-----------|------| +| 1 | Public repo live, 100+ stars | Submit github/docs PR | +| 2 | 500+ stars, browser extension in Chrome Store | Email security@github.com | +| 3 | Security audit complete | Follow up on PR + email | +| 4 | 1000+ stars, Show HN traction | GitHub team takes notice organically | + +--- + +## Current Status + +🔴 **Not ready to submit** — missing: public repo, browser extension, meaningful traction. + +**Next action:** Complete Phase 1 (public GitHub repo launch, Show HN post, Product Hunt). Return to this task after 500 stars. + +--- + +## Files to Create Before Outreach + +- `clavitor.ai/docs/totp` — dedicated TOTP documentation page +- `clavitor.ai/security` — security policy page (or redirect to /.well-known/security.txt) +- `github.com/johanj/clavitor` — public repo with README and releases