johan
/
clavitor
1
0
Fork 0
Code Issues Pull Requests 3 Packages Projects Releases Wiki Activity

docs: add Show HN draft for clavitor.ai launch (TASK-072)

This commit is contained in:
James 2026-03-29 02:30:36 -04:00
parent f9e2a3bdf1
commit 55367fe06e
2 changed files with 82 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/LAUNCH-CHECKLIST.md
View File

@ -31,7 +31,7 @@
- [ ] Schedule launch (weekday, TuesdayThursday best) - [ ] Schedule launch (weekday, TuesdayThursday best)
### HackerNews ### HackerNews
- [ ] Draft "Show HN: Clavitor Password manager with two-tier encryption for humans with AI assistants" - [x] Draft "Show HN: Clavitor Password manager with two-tier encryption for humans with AI assistants" → docs/SHOW-HN.md
- [ ] Time for Monday morning ET (highest engagement) - [ ] Time for Monday morning ET (highest engagement)
--- ---

81
docs/SHOW-HN.md Normal file
View File

@ -0,0 +1,81 @@
# Show HN: Clavitor Password manager with two-tier encryption for humans with AI assistants
**TL;DR:** A password manager that knows your AI assistant needs your GitHub key, but doesn't need your CVV. Field-level encryption with WebAuthn PRF for L2 secrets. One Go binary, MIT licensed.
---
## The Problem
Your Claude/Codex/Cursor agent needs credentials to deploy code, rotate keys, complete 2FA. But every existing password manager is all-or-nothing:
- Give the AI your vault password → it sees everything (including your credit card)
- Don't give it access → it can't do its job
We needed per-field visibility. So we built it.
---
## Two-Tier Encryption
**L1 (Credential Encryption):** Server-side key. AI-readable. API keys, SSH keys, TOTP secrets.
**L2 (Identity Encryption):** WebAuthn PRF, client-side only. Card numbers, CVV, passport, private keys. The server literally cannot decrypt these — the key is derived from your Touch ID / Face ID / YubiKey in the browser and never leaves.
Same entry. Two encryption tiers. The AI sees the GitHub token. It sees that you *have* an Amex card. It cannot see the card number.
---
## Technical Details
- **One binary:** `clavitor` → SQLite file on port 1984. No Docker, no Postgres, no Redis.
- **MCP-native:** `/mcp` endpoint with `get_credential()`, `get_totp()`, `check_expiring()`. Works with Claude Code, Cursor, Codex.
- **LLM import:** Native parsers for Chrome/Firefox/Bitwarden/Proton (12k+ entries instant). LLM fallback for any other format.
- **Collision resolution:** Import from multiple sources, newest `timePasswordChanged` wins per entry.
- **FIPS 140-3:** Go crypto with CNG/OpenSSL backends where available.
---
## Why This Matters
LastPass lost encrypted vaults in 2022. Three years later, attackers are still cracking them — weak passwords first. FBI traced $150M+ in crypto theft to that single breach.
Clavitor's L2 fields use WebAuthn PRF. The server never has the key. Even shell access to the box doesn't get your credit card numbers. Math, not policy.
---
## Quick Start
```bash
# Self-host in 30 seconds
curl -fsSL clavitor.ai/install.sh | sh
./clavitor
# Running on http://localhost:1984
# Claude Code MCP config
~/.claude/mcp.json:
{
"mcpServers": {
"clavitor": {
"command": "clavitor",
"args": ["mcp"]
}
}
}
```
---
## Code & License
- **GitHub:** https://github.com/johanj/clavitor
- **License:** MIT
- **Language:** Go 1.24
- **Platforms:** Linux/amd64, Linux/arm64, Darwin/arm64, Darwin/amd64
The port number is intentional.
---
## Questions?
AMA in comments. Happy to discuss the WebAuthn PRF implementation, the MCP protocol design, or why we chose SQLite over "web scale" alternatives.