Cloud Sync Overview
Sanctum-authenticated REST API + Reverb WebSocket for real-time cluster, change-request, invite, and inbox events — with end-to-end encrypted vault sharing.
Two transports
- REST API — Sanctum bearer tokens, JSON Patch (RFC 6902) for partial updates with version-based conflict detection.
- Reverb WebSocket — Pusher protocol with Sanctum auth; auto-reconnect; per-nexus and per-user channels.
Real-time events
| Event | Channel | What it does |
|---|---|---|
ClusterCreated | per-nexus | New cluster appears in every member's sidebar. |
ClusterUpdated | per-nexus | Live diff of cluster fields applied to all open tabs. |
ClusterDeleted | per-nexus | Removed from sidebars; open tabs warn before save. |
ClusterForked | per-nexus | Notifies the owner that someone forked a public cluster. |
ChangeRequestCreated/Approved/Rejected | per-nexus | Updates the CR list and notifies reviewers. |
MemberJoined | per-nexus | New member appears in the roster. |
InviteReceived | per-user | Invitation badge in the notification panel. |
EmailReceived | per-user | Cloud SMTP messages stream into the inbox. |
What syncs
- API clusters & their requests, variables, auth, scripts, cookies.
- Nexus members & roles.
- Change requests & comments.
- Cloud SMTP inboxes.
- Vault items shared with the Nexus.
- Tasks and todo updates.
What stays local-only
- SSH key files (unless explicitly shared via the vault).
- SQL connections (unless exported as encrypted bundles).
- FTP credentials (same).
- Settings preferences.
- Anything in a Private or unshared resource.
Sanctum tokens are stored via Electron's
safeStorage (OS keychain) and never written in plain text. HTTPS is enforced for any non-localhost server URL.