diff --git a/docs/LAUNCH-CHECKLIST.md b/docs/LAUNCH-CHECKLIST.md index 2de090d..0dcb16e 100644 --- a/docs/LAUNCH-CHECKLIST.md +++ b/docs/LAUNCH-CHECKLIST.md @@ -31,7 +31,7 @@ - [ ] Schedule launch (weekday, Tuesday–Thursday best) ### HackerNews -- [ ] Draft "Show HN: Clavitor – Password manager with two-tier encryption for humans with AI assistants" +- [x] Draft "Show HN: Clavitor – Password manager with two-tier encryption for humans with AI assistants" → docs/SHOW-HN.md - [ ] Time for Monday morning ET (highest engagement) --- diff --git a/docs/SHOW-HN.md b/docs/SHOW-HN.md new file mode 100644 index 0000000..418ad62 --- /dev/null +++ b/docs/SHOW-HN.md @@ -0,0 +1,81 @@ +# Show HN: Clavitor – Password manager with two-tier encryption for humans with AI assistants + +**TL;DR:** A password manager that knows your AI assistant needs your GitHub key, but doesn't need your CVV. Field-level encryption with WebAuthn PRF for L2 secrets. One Go binary, MIT licensed. + +--- + +## The Problem + +Your Claude/Codex/Cursor agent needs credentials to deploy code, rotate keys, complete 2FA. But every existing password manager is all-or-nothing: + +- Give the AI your vault password → it sees everything (including your credit card) +- Don't give it access → it can't do its job + +We needed per-field visibility. So we built it. + +--- + +## Two-Tier Encryption + +**L1 (Credential Encryption):** Server-side key. AI-readable. API keys, SSH keys, TOTP secrets. + +**L2 (Identity Encryption):** WebAuthn PRF, client-side only. Card numbers, CVV, passport, private keys. The server literally cannot decrypt these — the key is derived from your Touch ID / Face ID / YubiKey in the browser and never leaves. + +Same entry. Two encryption tiers. The AI sees the GitHub token. It sees that you *have* an Amex card. It cannot see the card number. + +--- + +## Technical Details + +- **One binary:** `clavitor` → SQLite file on port 1984. No Docker, no Postgres, no Redis. +- **MCP-native:** `/mcp` endpoint with `get_credential()`, `get_totp()`, `check_expiring()`. Works with Claude Code, Cursor, Codex. +- **LLM import:** Native parsers for Chrome/Firefox/Bitwarden/Proton (12k+ entries instant). LLM fallback for any other format. +- **Collision resolution:** Import from multiple sources, newest `timePasswordChanged` wins per entry. +- **FIPS 140-3:** Go crypto with CNG/OpenSSL backends where available. + +--- + +## Why This Matters + +LastPass lost encrypted vaults in 2022. Three years later, attackers are still cracking them — weak passwords first. FBI traced $150M+ in crypto theft to that single breach. + +Clavitor's L2 fields use WebAuthn PRF. The server never has the key. Even shell access to the box doesn't get your credit card numbers. Math, not policy. + +--- + +## Quick Start + +```bash +# Self-host in 30 seconds +curl -fsSL clavitor.ai/install.sh | sh +./clavitor +# Running on http://localhost:1984 + +# Claude Code MCP config +~/.claude/mcp.json: +{ + "mcpServers": { + "clavitor": { + "command": "clavitor", + "args": ["mcp"] + } + } +} +``` + +--- + +## Code & License + +- **GitHub:** https://github.com/johanj/clavitor +- **License:** MIT +- **Language:** Go 1.24 +- **Platforms:** Linux/amd64, Linux/arm64, Darwin/arm64, Darwin/amd64 + +The port number is intentional. + +--- + +## Questions? + +AMA in comments. Happy to discuss the WebAuthn PRF implementation, the MCP protocol design, or why we chose SQLite over "web scale" alternatives.