Visibility & forensics
Replay any session, prove it wasn't altered.
Every Claude Code session is recorded as an xterm.js stream with keyframes for instant scrubbing. Recording hashes (sha256) prove the replay matches what actually happened - no edit-after-the-fact.
7f3a9c12 · replay08:08 / 12:42
$ fix the broken csrf middleware in /api/auth and add a unit test
⚙ Read api/auth/csrf.go (98 lines)
⚙ Grep "X-Csrf-Token" → 4 files, 7 matches
⚙ Edit api/auth/csrf.go (+12 −4)
⚙ Bash $ go test ./api/auth/...
✓ Tests pass · 4 tests, 8 assertions
How it works
1
Session streamed over WebSocket
Every input, output, tool call streamed to the broker in real time.
2
Recorded with keyframes
Snapshot every ~30s of stream - instant scrub to any point without replaying from start.
3
Scrub instantly
xterm.js re-renders from the nearest keyframe in milliseconds, via a Web Worker.
4
sha256 proves integrity
Each recording's hash is signed at close time. Mismatched playback = tamper detected.
Deep dives
Keyframe scrubbing
Click anywhere on the timeline - a Web Worker rebuilds from the prior keyframe in under 100 ms. No waiting while we re-stream from minute 0.
Permission events inline
Every time the agent asked for permission (Bash, network, file write) appears as a marker on the timeline - see exactly what was approved and when.
Integrity verification
The recording's sha256 lives in the audit chain - signed. The replay you watch is provably the recording that was made; nobody can swap it.
Verify a recording
shell · verify recording
$ synaptyx replay verify 7f3a9c12-5e44-4b21-9c8a-1de2f6a09b3c
recording_id: 7f3a9c12-5e44-4b21-9c8a-1de2f6a09b3c
hash_in_audit: sha256:b3:9f8c:e4d2:7a91…3a4e
hash_recomputed: sha256:b3:9f8c:e4d2:7a91…3a4e
✓ match — recording is exactly what was streamed at session close
What you replay is exactly what happened.
Provably. The audit chain stores the recording hash; the replay matches or it doesn't. Tamper detection isn't a "trust us" - it's a checksum compare.
Compare
| Synaptyx | asciinema | Plain text log | |
|---|---|---|---|
| Terminal fidelity | xterm.js · 256 colour | yes | no ANSI |
| Instant scrub | keyframes | re-render from 0 | no playback |
| Permission events | inline markers | no | no |
| Tamper-proof | sha256 in audit chain | trivially editable | trivially editable |
| Shareable deep link | #t=08:08 | timestamp param | N/A |
FAQ
90 days on Team, configurable on Enterprise (90 / 365 / custom). Transcripts captured by the local daemon are stored encrypted with the team DEK - we can't read those. Live-streamed sessions are processed server-side so we can render them for real-time watching and replay; they stay tenant-isolated and retention-bound.
Imperceptibly. Recording happens at the broker, not in the daemon's hot path. Adds under 1 ms per round trip.
Yes - with another authenticated team member. The link is scope-gated; outsiders see a 404. Add #t=08:08 to deep-link to a moment.
Yes - with your team DEK on the client before upload. The server stores ciphertext only, even for managed.
Ready to govern your AI infrastructure?
Request access in minutes - or talk to us about your air-gap deployment.