johan
/
clavitor
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clavitor/docs/PRODUCT-HUNT.md

147 lines
5.5 KiB
Markdown
Raw Blame History

# Product Hunt — Clavitor Launch Assets
*Ready to copy-paste into producthunt.com when launching*
---
## Product Info
**Name:** Clavitor
**Tagline** (60 chars max):
```
The password manager your AI can use — safely
```
**Alternative taglines:**
- `Field-level encryption for humans with AI assistants`
- `Your AI gets the API keys. Not your CVV.`
- `Two-tier encryption: what your AI reads vs. what only you read`
---
## Description (260 chars for PH short description):
```
Clavitor encrypts each vault field at the right tier. Your AI agent gets your GitHub key and TOTP codes. Your credit card and passport stay client-side — WebAuthn PRF key never touches the server. One binary. MIT.
```
---
## Long Description (for PH product page):
Clavitor is a password manager built for humans who use AI assistants.
Every existing password manager is all-or-nothing: either your AI has access to your entire vault, or nothing at all. That's wrong. Your Claude or Codex agent needs your GitHub key. It doesn't need your CVV.
**Two-tier encryption:**
**Credential fields (L1):** Encrypted at rest, decryptable by the vault server. Your AI agent reads these via the CLI or MCP. API keys, SSH keys, TOTP secrets, OAuth tokens.
**Identity fields (L2):** Encrypted client-side with WebAuthn PRF — a key derived from your Touch ID, Face ID, or YubiKey, in your browser. The server never has the key. We cannot read these. Even if someone has shell access to the box, L2 stays sealed.
**Built for the AI era:**
- MCP endpoint (Claude Code, Cursor, Codex) — `get_credential()`, `get_totp()`, `check_expiring()`
- AI-powered 2FA: your agent generates TOTP codes on demand
- Scoped tokens per agent — one compromised agent, one scope compromised
- LLM field mapping for browser extension (fills by intent, not CSS selector guessing)
- LLM import from any password manager export (Chrome, Firefox, Bitwarden, Proton — native parsers)
**Why this matters:**
In 2022, LastPass lost encrypted vault backups. Attackers are still cracking them today — FBI traced $150M in crypto theft to that single breach. Those vaults were encrypted with passwords. Passwords get cracked. Clavitor's L2 fields are derived from hardware authenticators. There's no password to crack.
**Stack:** Go binary + SQLite. No Docker. No database server. No cloud account required.
Self-host free (MIT). Hosted at $12/year.
Port 1984. Because someone has to watch the watchers.
---
## Gallery / Screenshots Needed
1. **Hero split-screen:** Left (green) = AI-readable fields (API key, SSH, TOTP). Right (red) = Identity-only fields (card, CVV, passport). Same entry, different locks.
2. **CLI demo:** `clavitor get github.token --agent dev` → token returned. `clavitor get credit.card --agent dev` → access denied.
3. **MCP config:** 5-line `~/.claude/mcp.json` + Claude Code using it
4. **Encryption diagram:** WebAuthn PRF key derivation — key born and dies in browser
*Note: Screenshots/images need to be created before launch. See docs/LAUNCH-CHECKLIST.md*
---
## Categories (select on PH)
- Primary: **Security**
- Secondary: **Developer Tools**, **Productivity**
- Tags: `password-manager`, `ai`, `open-source`, `self-hosted`, `mcp`, `webauthn`
---
## Topics / Keywords
`password manager`, `AI agents`, `MCP`, `WebAuthn`, `self-hosted`, `open source`, `security`, `Claude Code`, `Codex`, `Cursor`, `credential management`, `field-level encryption`, `TOTP`, `SSH keys`
---
## Links
- **Website:** https://clavitor.ai
- **GitHub:** https://github.com/johanj/clavitor (once public)
- **Install:** https://clavitor.ai/install
- **Pricing:** https://clavitor.ai/pricing
- **Twitter/X:** @clavitor (once registered)
---
## Maker Comment (post on launch day — first comment on your own PH post)
```
Hey PH! 👋
I built Clavitor because my AI assistant needed credentials to do its job —
but every password manager gave it either everything or nothing.
The insight: not all credentials are equal. My GitHub key? Fine for the AI.
My credit card number? Nobody's business but mine.
So I built two-tier encryption:
- L1 fields: AI-readable (API keys, SSH, TOTP)
- L2 fields: WebAuthn PRF, client-side only. Server never has the key.
Happy to answer anything — the crypto design, the MCP integration,
why port 1984, or why I think "AI-safe mode" in existing managers
is just policy theater. AMA 🔐
```
---
## Launch Timing
- **Best days:** Tuesday, Wednesday, Thursday
- **Post time:** 12:01 AM Pacific (PH resets at midnight PT — first mover advantage)
- **Pre-launch:** Notify existing contacts/community night before
- **Coordinate with:** Show HN post same week (see docs/SHOW-HN.md)
- **Accounts to upvote from:** Johan's PH account + community (don't ask people to "upvote" directly — ask them to "check it out")
---
## Pre-Launch Requirements
Before submitting to Product Hunt, ensure:
- [ ] GitHub repo is public with README, one-liner install, binary releases
- [ ] clavitor.ai is live and fast
- [ ] Browser extension submitted to Chrome Web Store (even if pending review)
- [ ] @clavitor X handle registered
- [ ] Gallery images/screenshots created
---
## Checklist
- [ ] Create Product Hunt account (or use Johan's existing account)
- [ ] Submit product for review (PH requires review before featured launch)
- [ ] Upload gallery images (min 2, recommended 4-5)
- [ ] Add YouTube demo video (optional but boosts ranking significantly)
- [ ] Connect Twitter/X account to PH profile
- [ ] Schedule launch date
- [ ] Write and stage the maker comment
- [ ] Notify community: OpenClaw Discord, HN post same week, X thread
Reference in New Issue View Git Blame Copy Permalink