Cross-device sync Pro+
Your work follows you. Your data never leaves the cluster.
Snippets, todos, and memory replicate across every machine on your license — end-to-end encrypted client-side. The server stores ciphertext only and could not decrypt your data if it tried.
The server cannot read your data.
The envelope key is derived locally from your recovery receipt with PBKDF2 (600k iterations, SHA-256). The receipt never crosses the wire. Server compromise leaks ciphertext only — and the worker source is auditable proof.
No silent deletes across devices.
Additive merge: a local snippet the peer didn’t push is kept. Last-write-wins resolves conflicts per id; memory chunks tie-break by their monotonic version counter. Concurrent edits don’t corrupt your state.
Failures surface; corruption doesn’t.
SHA-256 of every blob is verified before decrypt. R2 corruption → distinct BlobIntegrityError in the activity log, not a cryptic AES-GCM throw. One bad bundle doesn’t poison the rest of the pull.
How it works
Push, pull, prove.
Every cycle: snapshot your stores, hash to detect change, encrypt client-side, sign the canonical with your device’s ed25519 key, POST to the worker. Pulls reverse the chain — verify sha, decrypt locally, route to each store via its registered apply callback.
What syncs · what doesn’t
You decide what follows you.
Three stores wired today. Each picks its own merge contract — the right one for that data shape.
| Store | Merge contract | Status |
|---|---|---|
| Snippets Saved prompts, scoped to a handle |
Last-write-wins per id · additive (local-only kept). | ✓ wired |
| Todos Per-session task lists |
Per-session LWW · additive · validateTodos invariants enforced on incoming. | ✓ wired |
| Memory (global) ~/.azmx/memory-global/ — facts that follow you across workspaces |
LWW by version (monotonic counter) · tie-break by updatedAt · additive. | ✓ wired |
| Workspace memory <workspace>/.azmx/memory/ — project-scoped facts |
Excluded by design — workspace paths differ across machines, sync would create dead pointers. | n/a by design |
| Chat sessions · agents · skills | — | roadmap |
| BYOK keys · MCP secrets | Excluded by design — sovereignty boundary stays per-machine. | n/a by design |
Trust model
The exact bytes that cross the wire.
Auditable, not aspirational. Below is a real envelope, decoded.
Per-envelope layout (after base64url)
┌────────┬──────────────┬────────────────────────────┐
│ ver(1) │ iv(12 B) │ ciphertext + AES-GCM tag │
└────────┴──────────────┴────────────────────────────┘
0x01 fresh random AES-256-GCM output
per envelope 16-byte tag appended
Key derivation
PBKDF2-HMAC-SHA256( password = recoveryReceipt, // never transmitted salt = "azmx.sync.envelope.v1:" + licenseLid, iters = 600_000, // OWASP 2023 floor out = 256 bits // → AES-GCM key )
Wire-level authentication
Every push, pull, blob fetch, and device-revoke is signed by the device’s ed25519 private key (lives in your local 0600 file, never crosses the FFI boundary). The server verifies against the pubkey you registered at /sync/init.
The signed canonical is pinned format:
push|<deviceId>|<seq>|<sha256>|<ts>
Replay defense: ts is unix seconds; server rejects ±5min skew. Seq monotonicity is enforced server-side per-device.
Receipt loss policy
We do not escrow your recovery receipt. Lose it and the existing ciphertext is unrecoverable — re-sync from scratch on a fresh device. This is the sovereignty cost; we’re honest about it.
Setup
Four taps from off to syncing.
Open Settings → Sync
Pro+ license required. Free shows the manual export/import path (Settings → Data) instead.
Toggle ON
UI auto-registers this device via /sync/init and persists the assigned deviceId in the syncStore.
Paste recovery receipt
From your activation email. Debounced save to local secrets store — never transmitted.
That’s it
Background cycle fires every 5 min (clamped 30s–60min, skip-if-busy/hidden). Activity log surfaces every event.
Built for
Three teams who’ve been waiting for this.
Multi-machine developers
Work laptop in the morning, desktop in the afternoon. The snippet you saved this morning is on the desktop by lunch — no manual export.
Privacy-bound engineers
Healthcare, finance, defense — places where "ship your code to a vendor cloud" is non-negotiably no. AZMX sync is the same E2E posture as your password manager. The server is structurally blind.
Teams shipping shared context
Onboarding a teammate becomes "here’s your license code." Memory tree replicates the conventions; shared MCP registry surfaces the tools; spend dashboard shows the bill in one place.
The honest answers
Questions developers actually ask.
If you can’t decrypt, how does the server work?
It doesn’t need to. The worker stores sealed-envelope bytes in R2 keyed by license + device + seq. It verifies device sigs, enforces seq monotonicity, and serves the bytes back on pull. Decryption happens only on devices that hold the recovery receipt.
What if I lose my recovery receipt?
Existing ciphertext becomes unrecoverable. Re-sync from a fresh state on the new device. We don’t escrow keys — that’s the trade-off the sovereignty contract makes.
How often does sync run?
Background cycle every 5 minutes by default (clamped 30s–60min). Skips when the previous cycle hasn’t drained, or when the renderer is hidden (no point burning requests). Manual "Sync now" button in Settings forces an immediate cycle.
What about conflicts when both devices edit the same thing?
Per-store contract decides. Snippets use last-write-wins per id. Memory uses LWW by monotonic version counter — every chunk write bumps the version, so the device with the higher-version copy wins regardless of arrival order. Local-only entries are always kept.
Does this count against my BYOK provider bill?
No. Sync is a separate transport (Cloudflare R2 + Workers). Your provider keys don’t enter the picture; nothing about sync touches model traffic.
Can my org audit what gets pushed?
Yes — Teams admins see per-device metadata (sealed-byte size, sync timestamps, blob count) in the admin console. Plaintext content stays unreadable to the server, by design. Admin console →
Your work, everywhere. Without the server seeing it.
Available today on Pro, Teams, Enterprise, and Gov tiers. Free includes manual encrypted export/import — the same data, different cadence.
Deep-dive: /docs · cross-device sync · Trust boundary: /security