VSRelay gives a phone control over an AI coding agent running inside your editor. That is a privileged channel, and it deserves a security page written for engineers — claims you can check, not adjectives. Below is exactly what protects that channel today, and exactly what is still on the roadmap.

Our one rule: we do not claim crypto we have not shipped. Today your traffic is encrypted in transit (TLS) and your tokens are stored only as hashes — but our cloud relay terminates TLS, so it is technically capable of seeing traffic as it passes through. True end-to-end encryption — where even we cannot read your traffic — is the next milestone on our roadmap, not a box we pretend is already checked. A security page that overstates is worse than one that is candid. This one is candid.
Your code, your files, and your editor state stay on your machine. The phone is a viewport and a set of controls; it does not hold your repository. What crosses the wire is the control channel: the prompts you send, the agent's responses, the specific file or terminal contents you ask to see, and the actions you approve. VSRelay is a remote control, not a remote disk.
Every connection that leaves your device is TLS-encrypted: the web app is served over HTTPS, and the phone↔editor link runs over secure WebSockets (wss://). In cloud mode, TLS is terminated at our relay (relay.vsrelay.dev) by a hardened reverse proxy. This protects your traffic against anyone on the network path between you and the relay. It does not make the relay blind to your traffic — that property is end-to-end encryption, which we describe honestly under Trust model & roadmap.
crypto.randomBytes), not guessable strings.0600 permissions inside a 0700 directory.VSRelay is built to hold as little of your data as possible.
Diagnostics are local-only — written to a file on your machine, never uploaded unless you choose to send an excerpt to support. Every log line is passed through a redactor at write time. The following are never written to the log:
<4>…<4> stub).The redaction rules are covered by dedicated tests that assert a known secret placed in a message never appears in the serialized log. See the full inventory in our Privacy Policy.
../) cannot escape the project root.The SSH wizard handles public keys only. It rejects any input containing a private-key block before it is processed — there is no message in the protocol that can carry a private key. It refuses to touch ~/.ssh when the directory or authorized_keys permissions are wrong (and it will not silently "fix" them), refuses a symlinked authorized_keys (a known bypass vector), and writes atomically with a one-time backup.
The apps fetch data, never executable code. New behavior ships as new data shapes the existing, already-reviewed client understands — never as downloaded scripts run on your device. This is a hard architectural line: recovery flows, action cards, and compatibility information all travel as descriptive data the client renders, not as logic it executes.
VSRelay is designed to run across several trust tiers. We will tell you plainly which is live today.
If you believe you've found a security issue, please email support@vsrelay.dev with "SECURITY" in the subject. Please give us a reasonable window to investigate and ship a fix before public disclosure; we will acknowledge your report and keep you updated. We do not pursue legal action against good-faith research conducted without harming users or their data.
Security contact: support@vsrelay.dev · Data protection: legal@vsrelay.dev