@verifiedstate/sync

v2.9.0

Published

a month ago

Auto-capture every AI session turn into VerifiedState — Cursor + Claude Code, always on

0High
0Medium
0Low

verifiedstate

verifiedstate ai-memory claude-code cursor session-capture sync vsync

@verifiedstate/sync v2

Auto-capture every AI session turn into VerifiedState. Cursor + Claude Code, always on.

Install

npm install -g @verifiedstate/sync

Setup

vsync init     # interactive — paste your API key, detect tools
vsync start    # launch background daemon
vsync status   # check capture progress
vsync logs     # tail recent activity
vsync stop     # stop the daemon

What it does

Every turn in Cursor and Claude Code becomes an artifact + assertion in VerifiedState, automatically. No user action required.

Watches ~/.claude/projects/**/*.jsonl for Claude Code sessions
Watches Cursor's history directory for chat sessions
Auto-tags by repo, branch, tool, and file references
Offline buffer — queues locally when API is unreachable, flushes on reconnect
Survives restarts — resumes from last processed position
Runs as a background daemon with PID management

Config

~/.vsync/config.json:

{
  "api_key": "your-key",
  "api_endpoint": "https://api.verifiedstate.ai",
  "namespace_id": "uuid",
  "watch": {
    "cursor": true,
    "claude_code": true
  },
  "tags": {
    "auto_tag_repo": true,
    "auto_tag_project": true
  }
}

Files

~/.vsync/config.json — configuration
~/.vsync/vsync.pid — daemon PID
~/.vsync/vsync.log — daemon log (auto-rotated at 1MB)
~/.vsync/queue/ — offline buffer
~/.vsync/resume.json — file resume points

Pricing

Free — $0. Individual developers and personal projects.

Pro — $19/month (founder pricing). Higher limits, multi-project workspaces, audit exports, commercial use. Locked for 12 months at launch.

Enterprise — Contact us. Teams, companies, multi-seat, SSO, SLA, on-prem.

Free is for individual developers and personal use. Team, company, agency, or organizational use requires Enterprise — even when each developer installs separately.

Trust & Security

vsync is a read-only observer. It watches your AI session files and sends turn summaries to VerifiedState. It cannot run commands, write to your files, modify git, or access anything outside its declared scope.

Full details: SECURITY.md

What vsync can and cannot do

| Can | Cannot | |---|---| | Read AI session files (Cursor, Claude Code, Windsurf) | Run shell commands (except git log for commit metadata) | | Send turn summaries to api.verifiedstate.ai | Write to user source files | | Write to ~/.vsync/ (config, logs, audit) | Modify git state | | Read .git/refs/ for commit detection | Access files outside declared paths | | | Read .env, credentials, or private keys | | | Send data to any domain except your configured endpoint |

How to verify

npm provenance — verify the package was built in GitHub Actions, not a local machine:
```
npm audit signatures
```
Local audit log — see every API call vsync has ever made from your machine:
```
vsync audit
```
Hash chain verification — check that no audit entries were tampered with:
```
vsync audit verify
```
Dry run — see the exact payload before anything leaves your machine:
```
vsync start --dry-run --foreground
```
Source code — it's all in packages/sync/src/, ~1500 lines of TypeScript. Read it.

Secrets filtering

vsync scrubs payloads before sending:

.env files are hard-rejected — never read, never sent
API keys (sk-*, ghp_*, AKIA*), bearer tokens, PEM headers, connection strings are regex-scrubbed
Redacted items are logged locally: vsync audit shows [redacted: pattern_name]

Project allow-list

Only watch projects you explicitly allow:

vsync allow /path/to/project     # add to allow-list
vsync allow                       # show current list
vsync deny /path/to/project      # remove

License

MIT — VerifiedState