johan
/
clavitor
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clavitor/docs/SHOW-HN.md

82 lines
2.7 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Show HN: Clavitor Password manager with two-tier encryption for humans with AI assistants
**TL;DR:** A password manager that knows your AI assistant needs your GitHub key, but doesn't need your CVV. Field-level encryption with WebAuthn PRF for L2 secrets. One Go binary, MIT licensed.
---
## The Problem
Your Claude/Codex/Cursor agent needs credentials to deploy code, rotate keys, complete 2FA. But every existing password manager is all-or-nothing:
- Give the AI your vault password → it sees everything (including your credit card)
- Don't give it access → it can't do its job
We needed per-field visibility. So we built it.
---
## Two-Tier Encryption
**L1 (Credential Encryption):** Server-side key. AI-readable. API keys, SSH keys, TOTP secrets.
**L2 (Identity Encryption):** WebAuthn PRF, client-side only. Card numbers, CVV, passport, private keys. The server literally cannot decrypt these — the key is derived from your Touch ID / Face ID / YubiKey in the browser and never leaves.
Same entry. Two encryption tiers. The AI sees the GitHub token. It sees that you *have* an Amex card. It cannot see the card number.
---
## Technical Details
- **One binary:** `clavitor` → SQLite file on port 1984. No Docker, no Postgres, no Redis.
- **MCP-native:** `/mcp` endpoint with `get_credential()`, `get_totp()`, `check_expiring()`. Works with Claude Code, Cursor, Codex.
- **LLM import:** Native parsers for Chrome/Firefox/Bitwarden/Proton (12k+ entries instant). LLM fallback for any other format.
- **Collision resolution:** Import from multiple sources, newest `timePasswordChanged` wins per entry.
- **FIPS 140-3:** Go crypto with CNG/OpenSSL backends where available.
---
## Why This Matters
LastPass lost encrypted vaults in 2022. Three years later, attackers are still cracking them — weak passwords first. FBI traced $150M+ in crypto theft to that single breach.
Clavitor's L2 fields use WebAuthn PRF. The server never has the key. Even shell access to the box doesn't get your credit card numbers. Math, not policy.
---
## Quick Start
```bash
# Self-host in 30 seconds
curl -fsSL clavitor.ai/install.sh | sh
./clavitor
# Running on http://localhost:1984
# Claude Code MCP config
~/.claude/mcp.json:
{
"mcpServers": {
"clavitor": {
"command": "clavitor",
"args": ["mcp"]
}
}
}
```
---
## Code & License
- **GitHub:** https://github.com/johanj/clavitor
- **License:** MIT
- **Language:** Go 1.24
- **Platforms:** Linux/amd64, Linux/arm64, Darwin/arm64, Darwin/amd64
The port number is intentional.
---
## Questions?
AMA in comments. Happy to discuss the WebAuthn PRF implementation, the MCP protocol design, or why we chose SQLite over "web scale" alternatives.
Reference in New Issue View Git Blame Copy Permalink