{ "slug": "credential-provider", "meta": { "title": "Credential Provider | ChromVoid", "description": "Local-first autofill on supported platforms." }, "hero": { "label": "Credential Provider", "title": "Native autofill without a cloud backplane.", "description": "The OS surface stays thin while the local Core decides whether a secret may leave the vault for a short-lived provider session.", "audience": "For supported platforms that need system autofill with local-only secret delivery." }, "useCases": { "title": "When it fits", "intro": "Use the provider path when native autofill matters more than a browser-side workflow.", "cards": [ { "title": "System autofill", "body": "Use a native surface on supported platforms without moving trust into the cloud." }, { "title": "Open-vault delivery", "body": "Only an unlocked vault can emit the secret into the provider session." }, { "title": "Deterministic checks", "body": "Policy, reachability, and session state all fail closed when the chain breaks." } ] }, "howItWorks": { "title": "Request lifecycle", "intro": "The OS triggers the provider, Core validates the local state, and the session closes immediately after delivery.", "steps": [ { "title": "The OS calls the provider surface", "body": "A local adapter receives the request from the supported platform." }, { "title": "Core checks local state", "body": "Vault state and policy are verified before any secret can leave." }, { "title": "A short provider session is opened", "body": "The secret is delivered and the session disappears again." } ], "diagrams": [ { "src": "/assets/diagrams/credential-provider-flow.svg", "alt": "Credential provider request lifecycle", "title": "Credential provider flow", "description": "Local provider surface, vault session, and policy gates." } ] }, "security": { "title": "Local-only chain", "cards": [ { "title": "Local adapter", "body": "The request only enters through the local OS adapter on the same device." }, { "title": "Open vault required", "body": "If the vault is locked, the provider path stops before release." }, { "title": "Policy gate", "body": "The app or domain context must pass local policy evaluation." } ] }, "limitations": { "title": "Limits and scope", "intro": "The provider path is intentionally narrow.", "items": [ "Only supported platforms can use the native provider surface.", "A locked vault does not unlock itself in the background.", "The provider session is short-lived and exists only for the request." ], "notTitle": "Not cloud autofill", "notBody": "This is a local provider chain, not a sync-backed cloud credential service." }, "cta": { "title": "Use system autofill with a local-only provider path.", "body": "The provider session remains short-lived and fails closed if the vault or policy gate is not ready." }, "ui": { "generic": { "audience": "Who this is for", "useCases": "Use cases", "how": "How it works", "security": "Security", "limitations": "Limitations", "threatModel": "Threat Model", "download": "Download", "backHome": "Back home", "technicalDiagram": "Technical diagram", "badges": { "inDevelopment": "In development", "pro": "PRO" } }, "credentialProvider": { "localOnlyChip": "Local-only path", "audienceTitle": "Native autofill without a cloud backplane.", "runtimeTitle": "The native OS surface stays a thin layer above the local Core.", "gateTitle": "A secret leaves the vault only after the full local check chain passes.", "gateIntro": "Candidates may look like familiar autofill, but the real secret handoff still depends on a deterministic local contract instead of a hidden background cache.", "lifecycleLabel": "Request lifecycle", "lifecycleIntro": "The OS triggers the provider surface first, then ChromVoid verifies the local Core state and opens a short-lived provider session without background unlock.", "diagramBadge": "Technical diagram", "diagramSupportBadge": "Local-only flow", "outcomeLabel": "Secret handoff", "outcomeTitle": "The secret travels only through a short-lived provider session.", "outcomeBody": "After `credential_provider:getSecret`, there is no standing cache that survives outside the open-vault lifecycle.", "platformLane": "Platform adapters", "sessionLane": "Vault session", "policyLane": "Policy match", "boundaryPillars": [ "Transport", "Gate chain", "Session TTL" ], "metrics": [ { "label": "Transport", "value": "Local-only", "body": "No WebRTC, WSS, USB, or relay path." }, { "label": "Unlock", "value": "Vault open", "body": "A locked vault means fail closed." }, { "label": "Cache", "value": "Short-lived", "body": "The provider session exists only for the request lifecycle." } ], "gates": [ { "key": "local_core", "title": "Local Core", "detail": "The request is accepted only from the local OS adapter on the same device." }, { "key": "core_alive", "title": "Core reachable", "detail": "The provider surface verifies that Core is reachable before the chain can continue." }, { "key": "vault_open", "title": "Vault open", "detail": "If the vault is locked, ChromVoid does not unlock it in the background on the OS behalf." }, { "key": "provider_enabled", "title": "Provider enabled", "detail": "The provider can be disabled explicitly, which closes the secret-delivery path completely." }, { "key": "allowlist_ok", "title": "Context allowed", "detail": "The app or domain context must pass policy evaluation inside the provider session." } ] } } }