Orbit
§ Features

Built
for the careful few.

Orbit is a small set of things, each made carefully. Here's what's inside, and the math behind the part that matters most.

§ 01 Clients — people, not pipelines

A client in Orbit is a person — or a project, or an account, however you think about it. Each one has a name, a color, a free-form notes field, and the tasks and credentials that belong to them. There are no stages, no scoring, no deal sizes, no Kanban. Orbit is for the people you already know you're working with.

Browse them in the sidebar. Archive the ones you're done with. Or pick a color and find them across the app by glance.

§ 02 Tasks — today, with context

Every task lives under a client. That sounds restrictive; it's not. It means every reminder in your list shows up with the person it's for, which is the bit you actually need to act.

  • Quick-add from anywhere: ⌘N on Mac, swipe on iOS.
  • Priorities you'll actually use — low, normal, high.
  • An "All Tasks" view that collapses by client, filters by priority, and hides the noise.

§ 03 Vault — credentials, sealed

The vault holds the small, important things you don't want loose. Each entry has a title and a type, and a body that's encrypted on your device before it leaves it. Supported types:

Login
Username, password, optional URL, optional notes.
API key
The key itself, with service name and optional environment.
Card
Number, expiration, CVC, holder name. Useful for the cards you actually use for business.
Secure note
Any free-form text you'd rather not leave unencrypted.

§ 04 Encryption — the math, briefly

Orbit's vault uses an industry-standard wrap-key design — the same shape used by password managers like 1Password and Bitwarden.

  1. On signup, a 256-bit vault key is generated on your device with a cryptographically secure RNG. It never leaves the device in clear form.
  2. A random 16-byte salt is generated alongside.
  3. A key-encryption-key (KEK) is derived from your password via PBKDF2-HMAC-SHA-256 at 600 000 iterations.
  4. The vault key is sealed with AES-GCM-256 under the KEK. Only the sealed bytes, the salt, and the IV travel to the server.
  5. Each vault entry's body is sealed under the vault key with a fresh AES-GCM nonce per entry.

On a new device, you sign in with your email and password. The server hands back the sealed bytes; your device runs PBKDF2 against your password and the salt, derives the KEK, and unseals the vault key locally. The server is never in possession of a key it can decrypt with.

§ 05 Sync — courier, not leash

Orbit is offline-first. Your local SwiftData store is the source of truth on each device; the server is a courier between them. Sync runs on every save, every app launch, and on demand. Conflicts resolve by last-write-wins with timestamp arbitration; conflicts on the vault are vanishingly rare because each entry has its own ID.

Connection lost? Keep working. Everything queues. When you're back, it sends.

§ 06 Authentication — one gate, two factors of convenience

One password unlocks the whole app. On top of that, you can opt in to:

  • Touch ID (Mac with a fingerprint sensor) — caches your vault key in the local Keychain with biometry-current-set protection.
  • Face ID (iPhone / iPad) — same mechanism.

Biometric unlock is per-device. The password remains the source of truth across devices.

§ 07 Native, on both platforms

Orbit is real SwiftUI on both macOS and iOS. No Electron, no React Native, no web view. That means:

  • Keyboard shortcuts on Mac — ⌘N, ⌘F, ⇧⌘L to lock from anywhere.
  • Real iOS gestures, real iOS context menus, real haptic feedback.
  • Memory footprints measured in tens of megabytes, not hundreds.
  • Universal binary on Apple Silicon and Intel.

§ 08 Threat model

Honesty about what the design protects against and what it doesn't:

Protected against:

  • Database breach — vault ciphertext is useless without the password; brute force requires 600 000 SHA-256 rounds per guess.
  • TLS termination by an intermediary — payloads are already encrypted before they enter the TLS layer.
  • Stolen or lost device — without your password, the vault key on a recovered disk is still wrapped.
  • Subpoena targeting our infrastructure — we don't have the plaintext to hand over.

Not protected against:

  • A compromised, unlocked device. While Orbit is open, the vault key is in memory.
  • A keylogger or screen-grabber on your device.
  • A user picking password as their password. PBKDF2 raises the cost; it doesn't eliminate it.
  • A coerced unlock — you, typing your own password under duress.