Credential Provider Local-only path

Native autofill without a cloud backplane.

The OS surface stays thin while the local Core decides whether a secret may leave the vault for a short-lived provider session.

Download Threat Model
Back home
When it fits

A secret leaves the vault only after the full local check chain passes.

Candidates may look like familiar autofill, but the real secret handoff still depends on a deterministic local contract instead of a hidden background cache.

Platform adapters

Open-vault delivery

Only an unlocked vault can emit the secret into the provider session.

Vault session

System autofill

Use a native surface on supported platforms without moving trust into the cloud.

Policy match

Deterministic checks

Policy, reachability, and session state all fail closed when the chain breaks.

Secret handoff

The secret travels only through a short-lived provider session.

After `credential_provider:getSecret`, there is no standing cache that survives outside the open-vault lifecycle.

TransportGate chainSession TTL
local_core

Local Core

The request is accepted only from the local OS adapter on the same device.

core_alive

Core reachable

The provider surface verifies that Core is reachable before the chain can continue.

vault_open

Vault open

If the vault is locked, ChromVoid does not unlock it in the background on the OS behalf.

provider_enabled

Provider enabled

The provider can be disabled explicitly, which closes the secret-delivery path completely.

allowlist_ok

Context allowed

The app or domain context must pass policy evaluation inside the provider session.

Secret handoff

The secret travels only through a short-lived provider session.

After `credential_provider:getSecret`, there is no standing cache that survives outside the open-vault lifecycle.

Request lifecycle

Request lifecycle

The OS triggers the provider surface first, then ChromVoid verifies the local Core state and opens a short-lived provider session without background unlock.

Technical diagram Local-only flow
01

The OS calls the provider surface

A local adapter receives the request from the supported platform.

02

Core checks local state

Vault state and policy are verified before any secret can leave.

03

A short provider session is opened

The secret is delivered and the session disappears again.

Limitations

Limits and scope

The provider path is intentionally narrow.

Local-only path

Limits and scope

  • Only supported platforms can use the native provider surface.
  • A locked vault does not unlock itself in the background.
  • The provider session is short-lived and exists only for the request.
Credential Provider

Use system autofill with a local-only provider path.

The provider session remains short-lived and fails closed if the vault or policy gate is not ready.

Download Threat Model