vsync is a read-only observer. It watches AI session files on your machine (Cursor, Claude Code, Windsurf, Codex) and sends session turn summaries to the VerifiedState API. That's it.
- The
vsyncdaemon runs entirely on your machine - All file watching, JSONL parsing, and turn extraction happens locally
- Generated context files (
CLAUDE.md,.cursor/rules/verifiedstate.mdc,.cursor/hot-context.md,.cursor/vstate-session.md,AGENTS.md) are written to your repo — content is derived from your VerifiedState account, not uploaded as raw repo files - Your code, file contents, and git history are never read or transmitted
- Local audit log:
~/.vsync/audit.jsonl(every API call logged before send)
When the daemon captures a turn, it sends to api.verifiedstate.ai:
- Session turn text: User prompts and AI responses, truncated to 10-20KB per turn
- Tool actions: Names of tools used (Read, Edit, Bash) and file paths (truncated)
- Code diffs: Edit/Write inputs — old_string/new_string pairs, truncated
- Git metadata: Commit hash, message, branch, files changed, author
- Session metadata: Session ID, project name, repo name, model, tool, timestamps
Session auto-start and auto-save call mcp.verifiedstate.ai to load/save session summaries (same API key, HTTPS only).
- Environment variables — never reads
process.envbeyondNO_COLORandHOME - API keys / secrets — scrubbed before any payload leaves your machine
- .env files — hard-rejected; never read, period
- Private keys — PEM/SSH patterns scrubbed before sending
- File contents outside session files — only reads declared paths
- Network traffic or browsing history
Your machine VerifiedState
+------------------+ +----------------------+
| AI session files |--read-only--> | api.verifiedstate.ai |
| (Cursor, Claude | --scrub--> | /ingest |
| Code, Windsurf, | --send--> | mcp.verifiedstate.ai |
| Codex) | | (session load/save) |
+------------------+ +----------------------+
|
v
~/.vsync/audit.jsonl (local log of everything sent)
No analytics. No telemetry. No third-party services.
| Endpoint | Purpose |
|---|---|
api.verifiedstate.ai/ingest |
Send session turn data |
api.verifiedstate.ai/whoami |
Verify API key on init |
mcp.verifiedstate.ai/mcp |
Session load/save, working state |
context.verifiedstate.ai/context |
Hot context refresh |
All configurable via ~/.vsync/config.json.
~/.claude/projects/**/*.jsonl— Claude Code sessions- Cursor/Windsurf
state.vscdb— SQLite database (read-only copy) ~/.codex/sessions/**/*.jsonl— Codex CLI sessions.git/refs/heads/— commit polling~/.vsync/config.json— configuration
~/.vsync/: config, logs, queue, audit.jsonl- Repo:
.cursor/hot-context.md,.cursor/vstate-session.md, rules,CLAUDE.md
- Run shell commands (except
git logfor commit metadata) - Write to user source files (except generated context files above)
- Modify git state
- Read
.envfiles, credentials, or private keys
vsync stores your API key in ~/.vsync/config.json with file permissions set to 600. The key is never logged or written to your repo.
Run vsync uninstall from a project where vsync was initialized to remove generated files and stop the daemon. Stored memory remains in your VerifiedState account until you delete it via the dashboard.
vsync start --dry-run --foreground # see payload without sending
vsync audit # view all API calls ever made
vsync audit verify # check hash chain integrity
npm audit signatures # verify npm package provenanceEmail security@verifiedstate.ai. We respond within 48 hours.
The vsync CLI ships via npm (@verifiedstate/sync). This repo contains docs, templates, and examples. The hosted VerifiedState substrate is operated by VerifiedState.