118 lines
4.9 KiB
Markdown
118 lines
4.9 KiB
Markdown
# GitHub 2FA Listing — Strategy & Outreach
|
|
|
|
*Task: C-010 | Goal: Get Clavitor listed on GitHub's 2FA setup screen alongside 1Password, Authy, Keeper*
|
|
|
|
---
|
|
|
|
## Where the Listing Lives
|
|
|
|
GitHub's 2FA setup flow (Settings → Password and authentication → Two-factor authentication) recommends specific TOTP password managers in the UI copy. This is **not** in the public github/docs repo — it's hardcoded in GitHub's frontend/settings codebase.
|
|
|
|
Known mentions in GitHub docs and community:
|
|
- `docs.github.com` recommends: **KeePassXC** (desktop), **1Password** (browser extension)
|
|
- GitHub UI mentions: **1Password, Authy, Microsoft Authenticator** (recovery codes screen)
|
|
- Recovery codes step 2 of 3 specifically lists: **1Password, Authy, Keeper** (per task description)
|
|
|
|
This is a **partnerships/security team ask**, not an open PR to github/docs.
|
|
|
|
---
|
|
|
|
## Prerequisites (Blockers — must clear first)
|
|
|
|
Clavitor cannot credibly request this listing until:
|
|
|
|
- [ ] **Public GitHub repo** — GitHub won't list a product without verifiable open-source presence. `github.com/johanj/clavitor` must be live with README, releases, stars.
|
|
- [ ] **Browser extension** — 1Password, Authy, Keeper are all listed because they have browser extensions for autofill + TOTP. Without a Chrome extension in the Web Store, the listing ask is premature.
|
|
- [ ] **Published TOTP documentation** — GitHub needs to see documented TOTP support. A dedicated docs page at `clavitor.ai/docs/totp` or similar.
|
|
- [ ] **Security audit / disclosure policy** — GitHub will want to see `/.well-known/security.txt` (already done ✅) plus ideally a published security contact and responsible disclosure policy.
|
|
- [ ] **Meaningful user base / traction** — GitHub only lists established tools. Get the Show HN post, Product Hunt launch, and some GitHub stars first (target: 500+ stars).
|
|
|
|
---
|
|
|
|
## Outreach Path
|
|
|
|
### Option A: GitHub Security Partnership Team (preferred)
|
|
|
|
GitHub has a security partnerships program. The ask goes to their security team, not docs team.
|
|
|
|
**Contact:** `security@github.com` or `partnerships@github.com`
|
|
|
|
**Template email** (send after prerequisites cleared):
|
|
|
|
```
|
|
Subject: Partnership inquiry — Clavitor TOTP/password manager listing
|
|
|
|
Hi GitHub Security team,
|
|
|
|
I'm Johan Jongsma, the founder of Clavitor (clavitor.ai),
|
|
an open-source AI-native password manager with native TOTP support.
|
|
|
|
We've been seeing strong adoption from developers who use Claude Code,
|
|
Codex, and similar AI coding assistants — users who need their agents
|
|
to complete 2FA flows autonomously. Clavitor is currently the only
|
|
password manager that exposes TOTP codes to AI agents via MCP while
|
|
keeping identity fields (credit cards, passports) client-side only
|
|
via WebAuthn PRF.
|
|
|
|
We'd love to be considered for the recommended password manager list
|
|
on GitHub's 2FA setup screen alongside 1Password, Authy, and Keeper.
|
|
|
|
Clavitor:
|
|
- Supports TOTP with `get_totp("GitHub")` via MCP (AI agents)
|
|
- MIT licensed, source at github.com/johanj/clavitor
|
|
- Chrome extension available in Web Store
|
|
- Self-hostable (one binary) or hosted at clavitor.ai
|
|
- WebAuthn PRF for identity fields (client-side only)
|
|
- Security: security@clavitor.ai, /.well-known/security.txt
|
|
|
|
We're happy to provide any additional information, documentation,
|
|
or undergo a security review.
|
|
|
|
Best,
|
|
Johan Jongsma
|
|
founder@clavitor.ai
|
|
```
|
|
|
|
### Option B: github/docs Pull Request
|
|
|
|
Some GitHub recommendations ARE in the docs repo. Check:
|
|
`github.com/github/docs/blob/main/content/authentication/securing-your-account-with-two-factor-authentication-2fa/`
|
|
|
|
If the specific "Password managers like 1Password, Authy, Keeper" text is in a docs file:
|
|
1. Fork github/docs
|
|
2. Add Clavitor to the list
|
|
3. Submit PR with reasoning
|
|
|
|
**Likelihood of acceptance:** Low without established brand. GitHub will likely request evidence of adoption and security review before merging.
|
|
|
|
### Option C: GitHub Community Discussion
|
|
|
|
Post in `github.com/orgs/community/discussions` — "Suggestion: Add Clavitor to recommended 2FA tools." This signals community interest and gets seen by the GitHub team who monitors that forum.
|
|
|
|
---
|
|
|
|
## Success Criteria by Phase
|
|
|
|
| Phase | Milestone | Then |
|
|
|-------|-----------|------|
|
|
| 1 | Public repo live, 100+ stars | Submit github/docs PR |
|
|
| 2 | 500+ stars, browser extension in Chrome Store | Email security@github.com |
|
|
| 3 | Security audit complete | Follow up on PR + email |
|
|
| 4 | 1000+ stars, Show HN traction | GitHub team takes notice organically |
|
|
|
|
---
|
|
|
|
## Current Status
|
|
|
|
🔴 **Not ready to submit** — missing: public repo, browser extension, meaningful traction.
|
|
|
|
**Next action:** Complete Phase 1 (public GitHub repo launch, Show HN post, Product Hunt). Return to this task after 500 stars.
|
|
|
|
---
|
|
|
|
## Files to Create Before Outreach
|
|
|
|
- `clavitor.ai/docs/totp` — dedicated TOTP documentation page
|
|
- `clavitor.ai/security` — security policy page (or redirect to /.well-known/security.txt)
|
|
- `github.com/johanj/clavitor` — public repo with README and releases
|