0k-sync

Zero-knowledge sync for local-first apps

In Development

Overview

The relay never sees your data. Not encrypted-at-rest-but-we-have-the-keys. Actually zero knowledge. The relay is a dumb pipe that routes ciphertext between your devices. No accounts, no key escrow. Keys derive from your passphrase via Argon2id. Pure Rust, no runtime, designed for edge hardware, slow networks, and battery-constrained devices.

Architecture

Zero-knowledge sync flow: Device A encrypts, Relay routes opaque blobs, Device B decrypts — The relay never sees your data. It routes opaque blobs between your devices.

Distributed testing topology: orchestrator runs tests across multiple machines with 3 relays over a mesh VPN — Two tiers of chaos testing: single-host Docker scenarios and distributed tests across a 3-machine mesh.

Highlights

Zero-knowledge relay — the server can't read your data, even if compromised

No accounts — devices pair via passphrase or QR code

Hybrid post-quantum transport — Noise XX with ML-KEM-768 + X25519 (Ring 2) — E2E verified

Multi-relay failover — connect failover, push fan-out, per-relay cursor tracking

DNS-based relay discovery — TXT records on Cloudflare, DNS-over-TLS resolution, no hardcoded NodeIds

750+ tests (604 workspace + 52 JS/pytest + 63 chaos Docker/distributed + 15 Q tool + 10 crypto-probe) — 6/6 relay integration

Relay observability — 14 Prometheus metrics, JSON health endpoint, per-request debug logging

Transport-agnostic core — sync-types and sync-core have zero iroh dependencies

Multi-language bindings — Node.js/Bun (napi-rs) and Python (PyO3)

Large file support with content-addressed hashing (BLAKE3) and chunked transfer

Tech Stack

RustirohQUICXChaCha20-Poly1305Argon2idBLAKE3ML-KEM-768Noise Protocol

Links

Documentation GitHub

Back to Home