Reference

Dashboard

The dashboard decrypts and visualizes your survey responses in the browser — without your master seed ever entering a browser. It holds a subordinate, read-only, rotatable credential: the view seed.

The capability model

Your 12 seed words are the root of two parallel key hierarchies. The survey hierarchy (encryption keys) stays on your machine with the CLI. The view hierarchy derives one-way from the master seed: the view seed can re-create every per-survey view key, but nothing about it can walk back up to the master. Respondents seal each response to both keys, so either hierarchy can open it.

CapabilityMaster seed (CLI)View seed (browser)
Read + decrypt responsesyesyes
Create surveys / spend satsyesno
Act as your identityyesno
Recover the other seedyes (re-derives the view seed)no (one-way derivation)
Rotatable if compromisedno — it is the rootyes — rotate from the CLI

Your 12 words remain the single canonical backup: they re-derive the identity, every survey key, and the view seed. The view seed needs no backup of its own.

Pairing a browser

livybolt pair
  1. The CLI derives your view seed, asks for a pairing password (it must differ from your identity password), and prints a QR code plus a copyable ncryptsec1… string. Both encode the same encrypted blob — the raw view seed never appears on screen or in the QR.
  2. On the dashboard, scan or paste the code and enter the pairing password once.
  3. The browser immediately re-wraps the view seed under your platform authenticator (Face ID / Touch ID / PIN via WebAuthn PRF), or a local password where that is unavailable. From then on, unlocking is one biometric tap. What sits in browser storage is ciphertext only — never the seed, never the PRF output.

The pairing blob is a durable, portable credential. It is not single-use, not expiring, and not device-bound — you can keep the string in a password manager and pair any future browser from it without the CLI machine present. The password is the gate; rotation is the revocation.

How reads work

Threat model, honestly

A dashboard is a served web page holding a secret while unlocked, and no amount of hardening changes what that means. Plainly:

Hardening in place: a nonce-based strict-dynamic Content-Security-Policy on the dashboard route (no inline scripts, no third-party origins, no runtime script CDNs), frame-ancestors 'none', and Trusted Types in report-only pending real-browser verification. This raises attacker cost; the residual XSS floor above is what remains, and it is the floor of any in-browser decryption design.

Losing things

You lost…Result
this browser / devicePair another with livybolt pair (or your saved pairing blob). Nothing to recover.
the pairing password or blobRun livybolt pair again — a new blob, any password you like.
your CLI machineRestore from your 12 words (livybolt id restore), then livybolt vault rebuild. The view seed re-derives too.
your 12 wordsUnrecoverable, by design. They are the only real secret.