Your communication and task hub Encrypted to this device only
Welcome
This device has never set up Cortex. Let's create your encryption keys.
What happens in setup: 1. Generate a keypair on this device 2. You set TWO passphrases (daily + recovery) 3. Your private keys stay encrypted on this device only
Cortexv0.2
Setup · step 1 of 3
Daily passphrase
You'll type this when biometric isn't available.
enter passphrase
Stored as Argon2id-derived key. Robbie never sees it.
Cortexv0.2
Setup · step 2 of 3
Recovery passphrase
If you lose this device. Write on paper, store offline.
enter passphrase
Critical: Lose this and you cannot recover your Cortex history if this device dies.
Cortexv0.2
Setup · step 3 of 3
Generate keys
Ready to generate Curve25519 + Ed25519 keypairs. Happens in your browser.
Takes about 1-3 seconds. Argon2id is intentionally slow.
Cortexv0.2
Optional · biometric
Enable biometric?
Fingerprint or face unlock instead of typing the passphrase each time.
Stays in Android Keystore. Never leaves your device.
Cortexv0.2
Locked
🔒
Tap to unlock with biometric
Use passphrase instead
🛡 XChaCha20-Poly1305 · Curve25519 · Argon2id
Cortexv0.2
Enter daily passphrase
Unlock
Type your daily passphrase.
Cortex v0.2 unlocked
You're in. Day 3+ wires the Hub interface, sync, and channel pulls. This stub confirms encryption works end-to-end.
Encryption status
checking...
Public key (encryption)
-
Public key (signing)
-
Encryption round-trip test
click button
Day 2 verification
✅ libsodium loaded ✅ Keypair generated ✅ IndexedDB persists encrypted keys ✅ Argon2id derivation works ✅ XChaCha20-Poly1305 works (run test) ✅ Lock + unlock works ✅ WebAuthn biometric optional
Google account
Not signed in
Day 3 setup. Used for Drive-backed recovery and identity. Stores access token only, no password.
Drive recovery
Sign in to Google first
Recovery bundle (encrypted with your recovery passphrase) gets uploaded to a hidden app-only Drive folder. If this phone dies, reinstall and tap Restore from recovery on Welcome.
R2 relay sync
Never synced
Fetches sealed bundles Robbie has written for this phone. Decrypts on-device. Bucket reads are public, content is opaque without your private key.
Push notifications
Not subscribed
Wakes the phone when Robbie has a sealed bundle ready in R2 (Day 4). Subscription endpoint auto-uploads to your Drive appdata for Robbie.
Dev mode (auto-unlock)
checking...
When dev mode is ON, daily passphrase is stored plaintext in IndexedDB and app auto-unlocks on every load. Disable before production.