window.isSecureContext| SECURE // LOCAL ONLY | | browser boundary -> WebAuthn ceremony | | blocked // window.isSecureContext | | No AI usage is touched. |
browser boundary -> WebAuthn ceremony

VTK://IDENTITY-BOUNDARY//GITHUB-FIRST//LOCAL-KEY-OPTIONAL
Do not promote a browser ceremony into account or usage verification.
The server verifies the immutable GitHub subject used for account linking and the blue identity check.
This page can create or request a local credential. It does not send the assertion to a verification server.
Passkeys do not validate provider usage, move spend, publish records, or change leaderboard rank.
Create, check, or clear the browser-held credential reference without moving account or usage state.
none storedWebAuthn is unavailable in this browser context. GitHub account identity remains available.
A browser-local WebAuthn map that keeps authenticator state separate from server account identity, usage records, CLI approval, and public publishing.
window.isSecureContext| SECURE // LOCAL ONLY | | browser boundary -> WebAuthn ceremony | | blocked // window.isSecureContext | | No AI usage is touched. |
browser boundary -> WebAuthn ceremony
navigator.credentials.create/get| PROMPT // LOCAL ONLY | | browser API -> device authenticator | | manual // navigator.credentials.create/get | | A local response is not server account verification. |
browser API -> device authenticator
localStorage:vibeusage.passkey.rawId| VAULT // LOCAL ONLY | | browser local state -> credential id preview | | empty // localStorage:vibeusage.passkey.rawId | | Private key stays in authenticator. |
browser local state -> credential id preview
npx vibetrack audit| FIREWALL // NOT USAGE | | identity proof -> usage ledger | | 0 mutations // npx vibetrack audit | | Spend, credits, rank, and records unchanged. |
identity proof -> usage ledger
npx vibetrack login| CLI // PRIVACY | | GitHub / C0VIBE server -> local CLI token | | after check // npx vibetrack login | | Local assertion grants no CLI token; server identity is requir |
GitHub / C0VIBE server -> local CLI token
npx vibetrack upload --dry-run| PUBLISH // PUBLISH | | reviewed aggregates -> c0vibe.app profile | | locked // npx vibetrack upload --dry-run | | Dry-run before public profile. |
reviewed aggregates -> c0vibe.app profile
A passkey recovery drill for secure context checks, backup authenticators, CLI token refresh, dry-run review, and zero usage movement.
https context
webauthn available
local rail armed
Recovery starts by checking whether this browser can run a WebAuthn ceremony at all.
window.isSecureContextrawId preview
secret unavailable
local receipt only
The page can show a credential id preview, but it never exports the private key or raw usage ledger.
localStorage:vibeusage.passkey.rawIdsecond key slot
user mediated
identity only
A second local key remains browser-authenticator state, not server identity or stronger usage evidence.
navigator.credentials.createdevice code loop
scoped token
ledger untouched
Refreshing a local uploader token uses the server identity flow and stays separate from this browser-local assertion.
npx vibetrack loginscore frozen
spend frozen
rank frozen
Recovery drills are visible trust context only; score, spend, credits, and provider totals stay frozen.
npx vibetrack auditpreview bundle
c0vibe.app rail
explicit publish
The public relay stays opt-in and preview-first, even after account recovery succeeds.
npx vibetrack upload --dry-runsecure context check platform auth prompt rp: VibeUsage attestation none
WebAuthn asks the platform authenticator for a local response; this page does not send it to a verification server.
navigator.credentials.createrawId preview only secret stays in device browser-local state clearable by user
The page keeps only a credential id preview locally; the authenticator keeps the real secret.
localStorage:vibeusage.passkey.rawIdrank mutation blocked spend totals untouched records stay separate trust label visible
Passkeys never change spend, credits, rank, provider totals, or trusted usage status.
npx vibetrack auditdevice code opens account approves token is scoped usage stays local
CLI uploader identity comes from the GitHub-first server flow, not this browser-local assertion.
npx vibetrack logindry-run bundle signed aggregate profile labels rails c0vibe.app receipt
Public profile publishing keeps identity, self-reported usage, and trust evidence visibly separated.
npx vibetrack upload --dry-run