VIBEKODED-OS // v1.0

Why our chatbot announces itself

2026.06.04// field-notes4 min read

A few days ago I was wiring up the chatbot that lives in the terminal at the bottom of this site, and I watched it set a tracking record the instant the page loaded. No click, no question, no sign of life from the visitor. The page painted, and a little visitor object went straight into local storage with a generated id on it. That is the default. Almost every chatbot does the same thing before you type a word, and you never know, because nobody tells you.

I stared at that for a while. What bothered me was not the storage itself. A number that lets the bot know you have been here before is harmless, and honestly it is useful. What bothered me was the silence. The visitor had no idea it was happening, and the only place they could have found out was a privacy policy they were never going to open. The collection was real and the consent was theoretical. The surface said nothing and the substance was already moving.

That gap is the same one I keep writing about, the distance between what a system appears to be doing and what it is actually doing. I have called it surface versus semantic before in the context of bugs, where the surface says the test passed and the substance says the feature is broken. This was the same shape pointed at consent. A policy buried three clicks away is the semantic layer: technically the disclosure exists, practically no human will ever read it. The opening turn of a conversation is the surface: it is where the visitor actually lives. If consent is going to mean anything, it has to live on the surface the visitor is standing on, not the one a lawyer would find.

say it before you do it

So I moved the disclosure to where the visitor is. The bot now opens its wake-up sequence by telling you, in its own voice, exactly what it does: it remembers this browser with a number in local storage so it knows if you come back, it logs no IPs, it keeps no fingerprints, it saves none of the chat, and you can clear the whole thing whenever you want. The full breakdown sits one link away at /privacy. None of that is in fine print. It is the first thing the bot says, before anything is stored.

This is now a written invariant on the project, I-DISCLOSURE-IN-VOICE: the bot announces what it does, in voice, during its opening turn, before any storage happens. It is not allowed to track first and explain later in a document. It explains first, on the surface, in the same register it talks to you in everywhere else.

Its partner invariant fixes the page-load problem I started with, I-STORAGE-ON-INTERACTION: the visitor record is created on your first real interaction, a chip click or a message, never on page load. A visitor who scrolls in, reads the disclosure, decides they would rather not, and leaves, writes absolutely nothing. The bot earns the right to remember you the moment you choose to talk to it, and not one moment before. That ordering is the whole ethic in a single line of control flow: disclosure, then choice, then storage.

defense in depth, pointed at consent

The reason this clicked into place fast is that the project already runs this way for something else. Brand voice here is enforced in four separate layers: the model prompt, a voice skill, a pre-commit hook, and a three-leg gate. No single layer is trusted to hold the line alone. When I went to do consent honestly, I reached for the same instinct and put the disclosure in more than one place: the bot says it on wake-up, the persona carries it so the bot never walks it back mid-conversation, the /privacy page documents it in full, and the intake form links to it before you submit. Same pattern, different subject. You do not bolt honesty on at the end. You specify it into the surfaces, plural.

That is the methodology showing, not preaching. The consent posture went from buried legalese the visitor will never read to a first-class interaction the visitor experiences in the first three seconds. The collection did not change. The honesty about it did, and the honesty is the feature.

if you are shipping an AI product that collects anything

If you are building an AI chatbot, an AI-built app, or any product that quietly stores something on the people who use it, and the consent story is a policy page you are hoping nobody reads closely, that unease is correct and it is fixable. The fix is not a bigger banner. It is consent specified into the product surfaces from the start, so honest disclosure is how the thing is built rather than a disclaimer stapled on after. Send the product and the point where it starts collecting. VibeKoded can scope a consent-and-disclosure audit of where your product silently stores, a spec-first rebuild that moves disclosure onto the surfaces users actually touch, or a standing pattern your future features inherit by default. Work with VibeKoded.

The visitor knows. That is the whole thing. Tomorrow there will be a new post, and the bot will remember you, because you will have let it.