Your communication and task hub Encrypted to this device only
Welcome
This device has never set up Cortex. Let's create your encryption keys.
What happens in setup: 1. Generate a keypair on this device 2. You set TWO passphrases (daily + recovery) 3. Your private keys stay encrypted on this device only
Cortexv0.2
Setup · step 1 of 3
Daily passphrase
You'll type this when biometric isn't available.
enter passphrase
Stored as Argon2id-derived key. Robbie never sees it.
Cortexv0.2
Setup · step 2 of 3
Recovery passphrase
If you lose this device. Write on paper, store offline.
enter passphrase
Critical: Lose this and you cannot recover your Cortex history if this device dies.
Cortexv0.2
Setup · step 3 of 3
Generate keys
Ready to generate Curve25519 + Ed25519 keypairs. Happens in your browser.
Takes about 1-3 seconds. Argon2id is intentionally slow.
Cortexv0.2
Optional · biometric
Enable biometric?
Fingerprint or face unlock instead of typing the passphrase each time.
Stays in Android Keystore. Never leaves your device.
Cortexv0.2
Locked
🔒
Tap to unlock with biometric
Use passphrase instead
🛡 XChaCha20-Poly1305 · Curve25519 · Argon2id
Cortexv0.2
Enter daily passphrase
Unlock
Type your daily passphrase.
Cortex v0.2 unlocked
You're in. Day 3+ wires the Hub interface, sync, and channel pulls. This stub confirms encryption works end-to-end.
Encryption status
checking...
Public key (encryption)
-
Public key (signing)
-
Encryption round-trip test
click button
Day 2 verification
✅ libsodium loaded ✅ Keypair generated ✅ IndexedDB persists encrypted keys ✅ Argon2id derivation works ✅ XChaCha20-Poly1305 works (run test) ✅ Lock + unlock works ✅ WebAuthn biometric optional
Google account
Not signed in
Day 3 setup. Used for Drive-backed recovery and identity. Stores access token only, no password.
Drive recovery
Sign in to Google first
Recovery bundle (encrypted with your recovery passphrase) gets uploaded to a hidden app-only Drive folder. If this phone dies, reinstall and tap Restore from recovery on Welcome.
Push notifications
Not subscribed
Wakes the phone when Robbie has a sealed bundle ready in R2 (Day 4). Subscription endpoint auto-uploads to your Drive appdata for Robbie.
Dev mode (auto-unlock)
checking...
When dev mode is ON, daily passphrase is stored plaintext in IndexedDB and app auto-unlocks on every load. Disable before production.