The architectural blueprint.
Math, not obscurity.
This page describes the shape of the system: what runs where, which published standards it is built on, and what each layer is designed to survive. It is deliberately complete on principles and deliberately silent on implementation internals — a security model that depends on you not reading this page would not be a security model.
Five non-negotiable invariants.
Every layer is checked against these five before it ships. If a feature breaks one, it does not ship — even if a competitor offers it, even if it's convenient.
Six layers, all in your browser.
Each layer is built on an open, published standard — the same primitives anyone can read, audit, and reimplement. The composition is the architecture; none of it relies on a secret.
Authentication
Login uses an augmented PAKE. Your master secret never leaves the device — not at registration, not at login, not hashed, not at all. The server ends up with a verifier it cannot reverse and cannot reuse, so there is no password database to steal.
Key hierarchy
Vault keys are derived on-device from hardware-backed authenticator output, expanded through a one-way key schedule with strict domain separation. Every derived key has exactly one job; compromise of one context never cascades into another.
Encryption envelopes
Every record is sealed in an authenticated envelope keyed by a hybrid of elliptic-curve and ML-KEM-1024 post-quantum key encapsulation. Breaking the envelope requires breaking both. Known-answer tests pin the cryptography to published test vectors on every build.
Storage model
The vault lives on your device and is usable with zero network access. When sync is enabled, the server stores opaque encrypted blobs — it cannot distinguish a password from a passport, and the end-to-end test suite asserts no plaintext ever crosses the boundary.
Transport & origin
The application is served from a single origin with no third-party hosts, no analytics tags, and no embedded trackers. All cryptography executes in your browser; what leaves the device is ciphertext addressed to our own endpoints, nothing else.
Supply chain integrity
Releases are built reproducibly, signed keylessly, and recorded in a public append-only transparency log. The running page can verify its own bundle hash against the published manifest, so a tampered or targeted build is detectable by the person it targets.
Assume the worst. Then check the math.
The design question for every adversary is the same: with everything they can take, what do they actually get?
Deliberately.
You will not find release schedules, internal milestones, infrastructure topology, or dependency selections here. Those change; the invariants do not. What we do publish is stronger than any of it: the source, a software bill of materials, signed reproducible releases in a public transparency log, and a verifier that runs in the page you are reading. Verify, don't trust.