Documentation

Set up encrypted memory sync for your AI applications.

Quick Start

Get up and running quickly.

1. Install the CLI

Download the sine~sync CLI for your platform:

# macOS / Linux
curl -sSL https://sinesync.ai/install.sh | sh
# Windows (PowerShell)
irm https://sinesync.ai/install.ps1 | iex

2. Set up with your AI coding tool

Configure your AI coding tool with MCP server and automatic capture:

sinesync setup

Setup detects your environment (Claude Code, OpenAI Codex, Cursor) and lets you choose a mode:

  • Standalone — Full memory system with encrypted SQLCipher storage
  • Adapter — Works alongside an existing Memory MCP (like claude-mem)

It automatically:

  • Registers sine~sync as an MCP server (claude mcp add or Codex config.toml)
  • Configures hooks for observation capture
  • Downloads and initializes the local embedding model (all-MiniLM-L6-v2)
  • Starts the background daemon and triggers initial cloud sync

For Codex, setup configures MCP and the notify callback in ~/.codex/config.toml. For Cursor, setup configures hooks in ~/.cursor/hooks.json.

3. Check status

Verify everything is working:

sinesync status

4. Open the dashboard

Browse and search your memories:

sinesync dashboard

The dashboard opens at http://127.0.0.1:5741 with:

  • Semantic search across all observations
  • Project filtering and statistics
  • Memory browsing and classification

Supported Tools

sine~sync works with multiple AI coding tools. All platforms get full MCP tool access for reading memories. Observation capture granularity differs by platform.

Comparison of sine~sync capabilities between Claude Code, OpenAI Codex, and Cursor.
CapabilityClaude CodeOpenAI CodexCursor
MCP tools (search, timeline, etc.)FullFullFull
Observation capturePer tool use (fine-grained)Per agent turn (summary)Per tool/file/shell (fine-grained)
Session context injectionSessionStart hookMCP tools.cursor/rules/ file
User prompt recordingUserPromptSubmit hookInput messages in notifybeforeSubmitPrompt hook
Session summariesStop hookN/A (single-turn capture)stop hook
Setupsinesync setupsinesync setupsinesync setup
Note: Codex integration captures one observation per agent turn via the notify callback, providing a summary rather than per-tool-use detail. Cursor provides fine-grained capture similar to Claude Code, with separate hooks for MCP tools, shell commands, and file edits. Context injection for Cursor uses .cursor/rules/sinesync-context.mdc with alwaysApply: true instead of stdout. MCP tools (read side) work identically across all platforms.

Operating Modes

sine~sync automatically detects your setup and operates in one of two modes.

Adapter Mode Auto-detected when a Memory MCP is installed

Works alongside your Memory MCP

In this mode, sine~sync acts as a sync and backup layer for your existing Memory MCP (like claude-mem). Your AI memories are stored in your Memory MCP's database, and sine~sync handles encrypted backup and cross-device sync.

How it works:

  • Memory MCP handles memory storage and context injection
  • sine~sync imports memories, encrypts, and syncs to cloud
  • On other devices, sine~sync pulls and exports back to your Memory MCP
  • Bidirectional sync keeps all devices in sync

Integration hooks:

Claude Code:

  • SessionStart - Injects relevant context from synced memories
  • PreCompact - Imports new observations from Memory MCP

OpenAI Codex:

  • MCP server - Read access to synced memories
  • Notify - Captures agent turn summaries for sync

Cloud sync runs automatically in the background daemon every 10 minutes.

MCP tools exposed: sinesync_status sinesync_search sinesync_projects
Standalone Mode When no Memory MCP is detected

Full memory system

In this mode, sine~sync is your complete AI memory solution. It handles storage, embeddings, semantic search, and encrypted cloud sync—all in one. Local storage uses an encrypted SQLCipher database (memory.db).

How it works:

  • sine~sync handles everything: storage, embeddings, search, sync
  • Observations stored in encrypted SQLCipher with ONNX embeddings (CoreML on Mac)
  • 3-layer search workflow: search → timeline → get_observations
  • Encrypted sync to cloud for backup and multi-device

Integration hooks:

Claude Code (per-tool-use, fine-grained):

  • SessionStart - Syncs with cloud, injects relevant context
  • PostToolUse - Captures observations from every tool use (edits, writes, commands)
  • UserPromptSubmit - Records user prompts for context
  • Stop - Generates session summary and pushes to cloud

OpenAI Codex (per-turn, coarser summary):

  • MCP server - search, timeline, get_observations (full fidelity, same as Claude Code)
  • Notify - Captures one observation per agent turn via agent-turn-complete

Cursor (per-tool/file/shell, fine-grained):

  • beforeSubmitPrompt - Injects context via .cursor/rules/sinesync-context.mdc
  • afterMCPExecution - Captures MCP tool observations
  • afterShellExecution - Captures shell command observations
  • afterFileEdit - Captures file edit observations
  • stop - Generates session summary and pushes to cloud

Cloud sync runs automatically in the background daemon every 10 minutes.

MCP tools exposed: search timeline get_observations sinesync_status sinesync_search sinesync_projects
Which mode should I use? If you're already using a Memory MCP like claude-mem, adapter mode lets you add encrypted backup and sync without changing your workflow. If you're starting fresh or want a simpler setup, standalone mode gives you everything in one tool.

Adapters

Adapters are bridges between sine~sync and memory systems. They handle importing observations for cloud sync and exporting synced observations back to your memory system.

claude-mem Available

claude-mem Adapter

The claude-mem adapter integrates with the claude-mem MCP server, providing encrypted backup and cross-device sync for your AI memories.

How it works:

  • Import: Reads observations from claude-mem's SQLite database
  • Export: Writes synced observations back to claude-mem SQLite
  • Embeddings: Syncs to ChromaDB vector store for semantic search
  • Backfill: Automatically embeds existing observations on first sync

Sync flow:

PreCompact Import new observations from claude-mem into sinesync
Background Encrypt → Push to cloud, Pull from cloud → Decrypt → Export to claude-mem
Backfill Export missing observations to claude-mem, embed into ChromaDB

More Adapters Coming

We're working on adapters for additional memory systems. Have a memory MCP you'd like us to support? Let us know.

CLI Commands

sinesync setup

Interactive setup: choose mode, register MCP server, configure hooks, start daemon

sinesync status

Show mode, sync status, storage usage, and daemon health

sinesync dashboard

Open the web dashboard for browsing and searching memories

sinesync login

Login to sine~sync cloud

sinesync signup

Create a sine~sync account

sinesync logout

Logout from sine~sync cloud

sinesync daemon start

Start the background daemon (auto-started by hooks)

sinesync daemon stop

Stop the running daemon

sinesync daemon status

Check daemon status, PID, port, and uptime

sinesync daemon logs

View daemon logs (-f to follow, -n for line count)

sinesync sync

Run bidirectional cloud sync (push + pull) with auto token refresh

sinesync sync push

Push local observations to cloud only

sinesync sync pull

Pull observations from cloud to local only

sinesync sync status

Show cloud sync status (item count, storage, devices)

sinesync config show

Show current configuration

sinesync config projects

List available projects from memory adapters

sinesync config exclude <project>

Exclude a project from sync

sinesync config include <project>

Re-include an excluded project

sinesync config include-only <project> [project2...]

Only sync specified project(s) (exclude all others)

sinesync config clear-filters

Clear all project filters (sync everything)

sinesync keypair

Generate or regenerate your vault sharing keypair

sinesync import

Import observations from claude-mem (adapter mode)

sinesync export

Export observations to claude-mem (adapter mode)

sinesync vault list

List configured vaults

sinesync vault create <name>

Create a new vault

sinesync vault delete <vault-id>

Delete a vault

sinesync vault projects <vault-id>

List projects in a vault

sinesync vault add-project <vault-id> <project-name>

Add a project to a vault

sinesync vault remove-project <vault-id> <project-name>

Remove a project from a vault

sinesync vault migrate-project <project-name> <to-vault-id>

Migrate project observations to a vault

sinesync vault sync

Sync vault keys from server

sinesync vault share <vault-id> --email <email>

Invite someone to share a vault

sinesync vault accept <invite-id>

Accept a vault sharing invitation

sinesync vault invites <vault-id>

List pending invites for a vault

sinesync vault cancel-invite <invite-id>

Cancel a pending invitation

sinesync vault pending

List your pending vault invites

sinesync vault pending-confirm

List invites awaiting your confirmation

sinesync vault confirm <invite-id>

Confirm an invite and share the vault key

sinesync vault setup-key <vault-id>

Generate and upload encryption key for a vault

sinesync vault reencrypt <vault-id>

Re-encrypt vault observations with the vault key

sinesync mcp start

Start the MCP server (called by Claude Code automatically)

sinesync doctor

Run diagnostic health checks on sinesync and adapters

sinesync doctor --fix

Automatically fix issues found by doctor

sinesync reembed

Regenerate embeddings using ONNX model

Configuration

Use sinesync config subcommands to control which projects are synced to the cloud.

Project Filtering

By default, sine~sync syncs observations from all projects. You can narrow this with include/exclude filters:

  • Exclude: sinesync config exclude <project> — skip a specific project during sync
  • Include: sinesync config include <project> — re-include a previously excluded project
  • Include-only: sinesync config include-only <project> [project2...] — only sync the specified project(s) (exclude all others)
  • Clear: sinesync config clear-filters — remove all filters and sync everything

Run sinesync config show to view your current configuration and active filters, or sinesync config projects to list available projects from your memory adapters.

MCP Tools

When registered as an MCP server, sine~sync provides these tools to Claude Code. Both modes expose sync tools. Standalone mode additionally provides a 3-layer search workflow (search → timeline → get_observations) for deep memory exploration.

Sync Tools (Both Modes)

sinesync_status

Check daemon status including storage size, observation count, embedding model, and operating mode.

sinesync_search

Quick semantic search across all observations. Use the standalone search tool for filtered queries by project, type, or date range.

sinesync_projects

List all projects and the number of observations in each. Useful for discovering available projects before filtering searches.

Memory Tools (Standalone Mode)

In standalone mode, sine~sync exposes a 3-layer search workflow matching the claude-mem pattern. Observations are captured automatically via hooks—no manual storage tool needed.

search

Search observations by semantic similarity. Filter by project, type (discovery, decision, bugfix, feature, change, refactor), and date range. Returns IDs, titles, and scores.

timeline

View observations surrounding a point in time. Provide an observation ID as anchor, or a query to find one automatically. Returns neighboring observations with full details.

get_observations

Fetch full observation details by ID. Returns complete content, facts, concepts, files, and metadata. Use after search to get full context.

Keypair Generation

To share vaults with others, you need an X25519 keypair. This is used to securely exchange vault encryption keys.

Why CLI Only?

Keypair generation happens in the CLI because it requires your encryption key to protect your private key. The CLI has access to your derived encryption key (from your password + secret key), which the web interface doesn't store for security reasons.

Your private key is encrypted before being uploaded to our servers, ensuring we can never read it.

Generate Your Keypair

If you signed up via the web, simply log in with the CLI:

sinesync login

The CLI automatically generates a keypair if you don't have one. Your public key is uploaded so others can encrypt vault keys for you. Your private key is encrypted locally with your derived key before upload—we never see the raw private key.

To regenerate your keypair (e.g., for key rotation), run:

sinesync keypair

When Do You Need a Keypair?

  • Accepting vault invites — The inviter encrypts the vault key with your public key
  • CLI signup — Automatically generates a keypair during signup
  • Web signup — Keypair generated automatically on first sinesync login
Note: If you see a "Keypair required" warning when trying to accept an invite, run sinesync keypair in the CLI first.

Vault Sharing

Share vaults with teammates while maintaining zero-knowledge encryption. Vault keys are exchanged securely without ever touching our servers.

How It Works

sine~sync uses two-channel key exchange to securely share vaults with new users who don't yet have an account.

Why two codes? Even if an attacker intercepts the email, they can't decrypt the vault key without the second code shared through a different channel. This is similar to how banks send password and PIN separately.

Sending an Invite

To share a vault, run the share command with the recipient's email:

sinesync vault share <vault-id> --email teammate@company.com

sine~sync will guide you through the secure key exchange process.

Accepting an Invite & Migrating Projects

When you're invited to a shared vault, you may already have observations for the same project in your personal vault. Here's how to accept the invite and migrate your existing work to the shared vault.

What happens during migration? Your observations are decrypted locally using your personal vault key, then re-encrypted with the shared vault key. The re-encrypted data syncs to the cloud and becomes available to all vault members. Your original observations in the personal vault are removed after successful migration.
Before migrating: Make sure you want to share all observations for this project. Migration moves everything—you can't selectively migrate individual observations.

Organizations

Overview

Organizations let teams manage members, enforce SSO authentication via SAML, and automate user provisioning with SCIM. An organization admin can configure identity provider integration, manage verified domains, and control session policies.

Creating an Organization

  1. Log in to sine~sync and click Create Organization in the navigation
  2. Enter an organization name and choose a URL slug (used for SSO login URLs)
  3. Select a plan and billing interval, or start a 30-day free trial
  4. You'll become the first admin of the organization

Setting Up SAML SSO

SAML allows your team to log in using your existing identity provider (Okta, Azure AD, Google Workspace, etc.).

  1. Add and verify a domain — Go to Organization → Settings → Domains. Add your email domain (e.g. company.com) and create a DNS TXT record with the provided verification token
  2. Get SP metadata — In the SAML Configuration section, copy the SP Metadata URL shown at the bottom. Provide this to your IdP when creating the SAML application
  3. Configure your IdP — In your identity provider, create a new SAML application for sine~sync. Set the ACS URL and Entity ID from the SP metadata
  4. Enter IdP details — Back in sine~sync Settings, fill in:
    • IdP Entity ID — The entityID from your IdP's metadata
    • SSO URL — The SingleSignOnService URL (HTTP-Redirect binding)
    • IdP Certificate — The PEM-encoded X.509 signing certificate
  5. Configure attribute mapping — Map the SAML attribute names your IdP sends:
    • Email (required) — The attribute containing the user's email
    • First Name / Last Name (optional) — For display in the members list
    • Groups (optional) — Enables automatic group sync from your IdP
  6. Enable SAML — Check the "SAML Enabled" toggle and save
  7. Test — Open a private browser window and log in with an email from your verified domain. You should be redirected to your IdP

Setting Up SCIM Provisioning

SCIM automates user lifecycle management — creating accounts when users are assigned in your IdP, and deactivating them when removed.

  1. Go to Organization → Settings → SCIM Provisioning
  2. Click Generate Token and give it a label
  3. Copy the token immediately — it cannot be retrieved again
  4. In your IdP's SCIM provisioning settings, enter:
    • SCIM Base URL: https://api.sinesync.ai/v1/scim/v2
    • Bearer Token: The token you just generated
  5. Enable provisioning in your IdP. Supported operations: create users, update profiles, deactivate users, and sync groups

Using the CLI as an Organization Member

Organization members who authenticate via SAML use the CLI slightly differently from password-based users.

First Login (New Device)

  1. Run sinesync login and enter your email
  2. A browser window opens and redirects to your IdP for SAML authentication
  3. After authenticating, the CLI detects you're an SSO user
  4. First device ever: Encryption keys are generated automatically and secured with a device key stored in your OS keychain. No password or secret key is needed
  5. New device (keys already exist): A 6-digit linking code is displayed. On an existing device, run sinesync device approve and enter the code to transfer encryption keys securely

Device Approval

When a team member logs in on a new device, they need another device to approve the key transfer:

  1. New device shows: Linking code: 483-721
  2. On existing device, run: sinesync device approve
  3. Select the pending request and enter the 6-digit code
  4. Encryption keys are transferred securely using an Argon2id-derived key — the code expires after 5 minutes and allows only 3 attempts

Day-to-Day Usage

Once set up, the CLI works identically to password-based accounts. All sync, vault, and MCP commands work the same way. Your encryption keys are unlocked automatically from the device keychain on each sinesync login.

Lost all devices? If a team member loses access to all their devices, an org admin can reset their SSO credentials. The user will bootstrap fresh keys on their next login. Existing shared vault data is preserved through other members' copies.

Managing Members

Go to Organization → Members to manage your team:

  • Admin — Full access to settings, SAML/SCIM config, member and group management
  • Member — Standard access to sync, vaults, and their own settings

With auto-provisioning enabled, new users are automatically added as members on first SAML login. With SCIM, your IdP manages the full user lifecycle.

Security Model

Zero-Knowledge Architecture

sine~sync uses a zero-knowledge encryption model. Your encryption key is derived entirely on your device and never transmitted to our servers. We cannot read your data.

Encryption Flow

Your Device
Master Password + Secret Key
Argon2id 64MB memory, 3 iterations
256-bit Encryption Key
AES-256-GCM Encryption
Encrypted Blob Cloud

Technical Details

  • Key Derivation: Argon2id (64MB memory, 3 iterations, 4 parallelism)
  • Encryption: AES-256-GCM (authenticated encryption)
  • Nonce: 96-bit random nonce per operation
  • AAD: Type-specific descriptors (e.g. sinesync-observation-v1) used as additional authenticated data
Important: Because we use zero-knowledge encryption, we cannot decrypt your data if you lose your master password OR secret key. Keep your secret key stored securely (password manager, secure note, etc.).

Troubleshooting

sine~sync includes a built-in diagnostic tool to identify and fix common issues.

Doctor Command

Run sinesync doctor to check the health of your installation:

sinesync doctor

This checks:

  • Core: Local storage integrity, daemon status, embedding model health
  • Standalone: SQLCipher database access, embedding compatibility, cloud sync status
  • claude-mem: Stuck SDK sessions, orphaned messages, embedding backlog, ChromaDB health

To automatically fix issues, add the --fix flag:

sinesync doctor --fix

Common Issues

  • Token expired: CLI commands auto-refresh expired tokens. If refresh fails, run sinesync login to re-authenticate.
  • Incompatible embeddings: Observations pulled from cloud may have embeddings from a different model. The daemon automatically re-embeds them on pull for local search compatibility.
  • Stuck sessions (adapter mode): claude-mem SDK sessions active for hours. Doctor completes them so new sessions can start.
  • Embedding backlog (adapter mode): Observations missing ChromaDB embeddings after a sync. Doctor backfills them automatically.

FAQ