sovsealsovseal
WelcomePlatformSelf-HostedCookbooksIntegrationsSDK ReferenceAPI ReferenceComponentsChangelog
Verified by the sovseal team

Postgres + pgvector (Remote Sync)

Guide to self-hosting the edge replication layer using Postgres and pgvector.

While sovseal provides a managed hosted replication endpoint, the entire replication system is open-source and self-hostable. This allows enterprise teams or individuals to run their own server-blind sync endpoint using a Postgres database with the pgvector extension.

Remote Table Schema

The edge function syncs snapshots to a single Postgres table public.agent_state_snapshots. The database only stores encrypted metadata and ciphertexts:

CREATE TABLE public.agent_state_snapshots (
    id BIGSERIAL PRIMARY KEY,
    agent_id CHAR(64) NOT NULL, -- SHA-256 hash derived from project_id + key name
    sequence_number INT NOT NULL CHECK (sequence_number >= 0),
    parent_snapshot CHAR(64), -- Lineage link to previous snapshot hash
    policy_hash CHAR(64) NOT NULL DEFAULT REPEAT('0', 64),
    client_payload_hash CHAR(64) NOT NULL, -- VSR integrity hash anchor
    ciphertext_b64 TEXT NOT NULL, -- AES-256-GCM encrypted payload
    byte_size INT NOT NULL,
    timestamp TIMESTAMPTZ NOT NULL,
    created_at TIMESTAMPTZ DEFAULT NOW(),
    
    UNIQUE (agent_id, sequence_number)
);

-- Index for fast latest snapshot recovery
CREATE INDEX idx_snapshots_agent_latest 
ON public.agent_state_snapshots (agent_id, sequence_number DESC);

Edge Function Deployment

The replication layer runs as a Deno + Hono edge function (typically deployed to Supabase Edge Functions or a custom Cloudflare Worker).

Deploying to your Supabase project:

  1. Clone the sovseal codebase.
  2. Initialize and deploy the edge function using the Supabase CLI:
# Login and select your project
supabase login
supabase link --project-ref your-project-ref

# Deploy the function
supabase functions deploy v2-agent-state
  1. Configure your local ~/.sovseal/config.json client to point to your new endpoint:
{
  "schema_version": 1,
  "project_id": "your-project-uuid",
  "api_key": "your-auth-token",
  "endpoint": "https://your-project-ref.supabase.co/functions/v1/v2-agent-state"
}

Write-Behind Integrity & VSR

During self-hosting, the edge function performs two key validation checks before accepting a snapshot:

  1. AES-GCM Authentication: The database checks that the ciphertext envelope hash matches the client_payload_hash to reject tampered payloads.
  2. Monotonic Lineage: The server rejects uploads where the sequence_number is less than or equal to the currently stored highest sequence for that agent_id, preventing replay attacks.

LanceDB On-Device Database

Technical details of the serverless, Arrow-backed local vector store used by sovseal.

Encryption Overview

Learn how sovseal achieves zero-knowledge state security through client-side encryption primitives.

On this page

Remote Table SchemaEdge Function DeploymentDeploying to your Supabase project:Write-Behind Integrity & VSR