Overview
WebStray Authenticator is a secure, hardware-bound desktop password manager where data confidentiality and integrity are enforced through authenticated encryption. The architecture is designed to ensure that the security of the vault does not depend on the privacy of the filesystem, but on robust cryptographic primitives.
This section explores how the threat model and technical constraints shape the implementation of cryptography, storage, and extensibility. While this section focuses on design intent and architectural trade-offs, it also provides specific implementation details regarding the internal mechanisms of the application.
Reading Order
To understand the WebStray Authenticator architecture, it is recommended to follow this sequence:
- Security Model – Threats, assumptions, and boundaries.
- Cryptography – Keys, algorithms, and hardware binding.
- Local-First – Local data storage, offline use, and privacy.
- App Lifecycle – App.jsx orchestration, authentication states, and screen rendering.
- Storage – Persistence layer, database engine, and document schema.
- Sessions – Authentication, verification, and logout logic.
- Import & Export – JSON exports, password-protected record payloads, and data portability.
- Credential Rotation – Master Password changes and re-wrapping the Vault Key.
- Plugin System – Discovery, SDK, slots, and teardown logic.
Summary
The WebStray Authenticator architecture is defined by the principles of zero-knowledge and hardware-bound security. By strictly decoupling identity verification from data encryption, the system ensures that your vault remains a resilient "black box" – protected from unauthorized access even if the storage environment is compromised.