VibeUsage
Get your UsageStats

VTK://IDENTITY-BOUNDARY//GITHUB-FIRST//LOCAL-KEY-OPTIONAL

GitHub proves the account. This key stays local.

Use GitHub for the blue identity check and CLI account link. This optional WebAuthn lab only asks whether a browser authenticator can create or answer with a local credential.
NOT AN ACCOUNT LOGINThe challenge is generated in this browser and no assertion is sent to a server. A successful response proves only that the local authenticator answered.
SERVER VERIFICATIONS0this local lab
USAGE MUTATIONS0ledger untouched
RANK DELTA0identity is not usage
LOCAL REFERENCENOnone stored
01

Three proofs. Three different jobs.

Do not promote a browser ceremony into account or usage verification.

01
Account identityGitHub first

The server verifies the immutable GitHub subject used for account linking and the blue identity check.

02
Local authenticatorOptional browser check

This page can create or request a local credential. It does not send the assertion to a verification server.

03
Usage evidenceSeparate ledger proof

Passkeys do not validate provider usage, move spend, publish records, or change leaderboard rank.

02

Optional local key lab

Create, check, or clear the browser-held credential reference without moving account or usage state.

IDLE

No local credential reference is stored in this browser.

none stored

WebAuthn is unavailable in this browser context. GitHub account identity remains available.

TECHNICAL REFERENCEOpen the ceremony, recovery, and proof diagramsBrowser stages, local credential custody, zero-mutation rails, and recovery drills.
VTK://PASSKEY-CEREMONY//LOCAL-ONLY//ZERO-USAGE-MUTATIONPasskey ceremony control

A browser-local WebAuthn map that keeps authenticator state separate from server account identity, usage records, CLI approval, and public publishing.

SECURESecure browser contextblocked
secure context neededwindow.isSecureContext
| SECURE // LOCAL ONLY                                           |
| browser boundary -> WebAuthn ceremony                          |
| blocked // window.isSecureContext                              |
| No AI usage is touched.                                        |

browser boundary -> WebAuthn ceremony

No AI usage is touched.
PROMPTPlatform authenticatormanual
user mediatednavigator.credentials.create/get
| PROMPT // LOCAL ONLY                                           |
| browser API -> device authenticator                            |
| manual // navigator.credentials.create/get                     |
| A local response is not server account verification.           |

browser API -> device authenticator

A local response is not server account verification.
VAULTCredential id previewempty
no local prooflocalStorage:vibeusage.passkey.rawId
| VAULT // LOCAL ONLY                                            |
| browser local state -> credential id preview                   |
| empty // localStorage:vibeusage.passkey.rawId                  |
| Private key stays in authenticator.                            |

browser local state -> credential id preview

Private key stays in authenticator.
NOT USAGEUsage mutation firewall0 mutations
NOT USAGEnpx vibetrack audit
| FIREWALL // NOT USAGE                                          |
| identity proof -> usage ledger                                 |
| 0 mutations // npx vibetrack audit                             |
| Spend, credits, rank, and records unchanged.                   |

identity proof -> usage ledger

Spend, credits, rank, and records unchanged.
CLICLI approval bridgeafter check
idlenpx vibetrack login
| CLI // PRIVACY                                                 |
| GitHub / C0VIBE server -> local CLI token                      |
| after check // npx vibetrack login                             |
| Local assertion grants no CLI token; server identity is requir |

GitHub / C0VIBE server -> local CLI token

Local assertion grants no CLI token; server identity is required.
PUBLISHPublic profile relaylocked
Vibers Unitenpx vibetrack upload --dry-run
| PUBLISH // PUBLISH                                             |
| reviewed aggregates -> c0vibe.app profile                      |
| locked // npx vibetrack upload --dry-run                       |
| Dry-run before public profile.                                 |

reviewed aggregates -> c0vibe.app profile

Dry-run before public profile.
This local WebAuthn ceremony does not verify a server account.No provider calls, prompt reads, or output reads occur during the ceremony.Usage totals, credits, spend, records, and rank remain unchanged.Public profile publishing still requires dry-run review and explicit upload.
VTK://PASSKEY-RECOVERY-RELAY//LOCAL-ONLY//NOT-USAGERecovery relay

A passkey recovery drill for secure context checks, backup authenticators, CLI token refresh, dry-run review, and zero usage movement.

CHECK
Secure context drillblocked
https context                 
webauthn available            
local rail armed              
secure context needed

Recovery starts by checking whether this browser can run a WebAuthn ceremony at all.

window.isSecureContext
  • secure origin
  • webauthn API
  • manual user action
  • no provider calls
local only
A blocked browser never becomes usage proof.
LOCAL
Local credential receiptempty
rawId preview                 
secret unavailable            
local receipt only            
no local proof

The page can show a credential id preview, but it never exports the private key or raw usage ledger.

localStorage:vibeusage.passkey.rawId
  • id preview
  • secret absent
  • browser local
  • clearable state
local only
Private key stays in the authenticator.
BACKUP
Second authenticator pathblocked
second key slot               
user mediated                 
identity only                 
wait for secure context

A second local key remains browser-authenticator state, not server identity or stronger usage evidence.

navigator.credentials.create
  • user present
  • attestation none
  • local only
  • rank unchanged
local only
More authenticators do not raise usage rank.
TOKEN
CLI token refreshafter check
device code loop              
scoped token                  
ledger untouched              
GitHub/server required

Refreshing a local uploader token uses the server identity flow and stays separate from this browser-local assertion.

npx vibetrack login
  • account approval
  • scoped token
  • local store
  • no usage read
privacy
Local assertion grants no token and does not read prompts, outputs, files, or spend.
NOT USAGE
Usage mutation freeze0 mutations
score frozen                  
spend frozen                  
rank frozen                   
rankImpact 0

Recovery drills are visible trust context only; score, spend, credits, and provider totals stay frozen.

npx vibetrack audit
  • 0 records
  • 0 spend
  • 0 rank delta
  • not usage label
not usage
Recovery is NOT USAGE.
DRYRUN
Public profile dry-runlocked
preview bundle                
c0vibe.app rail               
explicit publish              
Vibers Unite

The public relay stays opt-in and preview-first, even after account recovery succeeds.

npx vibetrack upload --dry-run
  • aggregate only
  • review screen
  • signed bundle
  • manual publish
publish
No c0vibe.app write before dry-run review.
VTK://PASSKEY-PROOF//LOCAL-ONLY//NO-USAGE-MUTATIONPasskey boundary console
BROWSERAuthenticator boundarylocal only
secure context needed
secure context check        
platform auth prompt        
rp: VibeUsage               
attestation none            

WebAuthn asks the platform authenticator for a local response; this page does not send it to a verification server.

navigator.credentials.create
Local authenticator check only; server identity remains unverified.
VAULTLocal credential vaultlocal only
no local proof
rawId preview only          
secret stays in device      
browser-local state         
clearable by user           

The page keeps only a credential id preview locally; the authenticator keeps the real secret.

localStorage:vibeusage.passkey.rawId
No usage records stored here.
FIREWALLUsage ledger firewallnot usage
NOT USAGE
rank mutation blocked       
spend totals untouched      
records stay separate       
trust label visible         

Passkeys never change spend, credits, rank, provider totals, or trusted usage status.

npx vibetrack audit
Trust is not spend.
CLICLI approval handoffprivacy
GitHub/server required
device code opens           
account approves            
token is scoped             
usage stays local           

CLI uploader identity comes from the GitHub-first server flow, not this browser-local assertion.

npx vibetrack login
Local assertion grants no token; upload still needs preview.
PUBLISHC0VIBE publish receiptpublish
Vibers Unite
dry-run bundle              
signed aggregate            
profile labels rails        
c0vibe.app receipt          

Public profile publishing keeps identity, self-reported usage, and trust evidence visibly separated.

npx vibetrack upload --dry-run
Dry-run before public profile.