---
name: clavitor
description: Access credentials, TOTP codes, and secrets stored in a Clavitor vault via clavitor-cli
---

Access credentials, TOTP codes, and secrets stored in a Clavitor vault.

## When to use

Use this skill when you need to:
- Look up a password, API key, or SSH credential
- Generate a TOTP/2FA code
- Store a new credential, note, card, or address
- Update an existing credential

## Commands

### Get a credential
```bash
clavitor-cli get <query>
```
Searches by title. Returns all fields. L2 fields are decrypted locally.
L3 fields (hardware-key-only) show `[L3 -- requires hardware key]`.

### List entries
```bash
clavitor-cli list            # all entries
clavitor-cli list <filter>   # search by title
```
Returns: entry_id, type, title (tab-separated).

### Get a TOTP code
```bash
clavitor-cli totp <query>
```
Returns a live 6-digit TOTP code. Valid for 30 seconds.

### Store or update an entry (upsert)
All `put` commands create if new, update if the title already exists.

```bash
# Credential
clavitor-cli put credential "GitHub" --username octocat --password hunter2 --url https://github.com

# Note
clavitor-cli put note "Deploy checklist" --text "1. Run tests 2. Tag release 3. Deploy"

# Card
clavitor-cli put card "Amex" --holder "Johan Jongsma" --number 378282246310005 --cvv 1234 --expiry 09/28

# Address
clavitor-cli put address "Office" --street "123 Main St" --city Springfield --state IL --zip 62704
```

### JSON output
Add `--json` to any read command for machine-readable output:
```bash
clavitor-cli get github --json
clavitor-cli list --json
```

## Encryption model

Fields are encrypted at different tiers:
- **L1** (plaintext on server): titles, URLs, usernames — you can read these
- **L2** (agent-decryptable): passwords, API keys, TOTP seeds — the CLI decrypts these locally
- **L3** (hardware-key-only): card numbers, CVV, passport, SSN — you cannot access these

When you `put` a credential, passwords and TOTP seeds are automatically encrypted as L2.
Card numbers and CVV are encrypted as L2. L3 fields can only be set via the web UI with a hardware key.

## Important

- Do NOT try to read the vault database file directly. Use the CLI.
- Do NOT store the vault's L2 key in files, logs, or conversation history.
- The CLI must be initialized first: `clavitor-cli init <token>` (one-time setup).
- All access is logged in the vault's audit trail.

## Install this skill

```bash
clavitor-cli skill --install
```