EchoAccess User Guide
EchoAccess is a cross-platform configuration file synchronization tool written in Rust. It synchronizes SSH configs, dotfiles, and application settings across multiple devices with field-level encryption, approval-based workflows, and a NieR: Automata-inspired terminal interface.
What EchoAccess Does
- Syncs configs across Linux and macOS devices via S3-compatible cloud storage
- Encrypts selectively using age (whole-file) and AES-256-GCM (per-field)
- Handles conflicts with 3-way merge and user approval queues
- Manages permissions preserving file modes across platforms (0600 for SSH keys)
- Pushes to devices via SSH, discovering hosts from your
~/.ssh/config
Architecture Overview
EchoAccess ships as a single unified binary (echo_access) with three interface modes:
| Mode | Command | Purpose |
|---|---|---|
| Web (default) | echo_access | Web dashboard with auto-open browser |
| CLI | echo_access <command> | Command-line subcommands (clap) |
| TUI | echo_access tui | NieR: Automata terminal dashboard (ratatui) |
The codebase consists of three crates:
| Crate | Type | Purpose |
|---|---|---|
echoax-core | Library | Shared logic for all interfaces |
echoax-cli | Binary | Unified binary (echo_access) — CLI + Web dashboard |
echoax-tui | Library | TUI terminal interface (ratatui + NieR theme) |
Installation
From GitHub Releases
Download the latest release for your platform:
| Platform | Architecture | Download |
|---|---|---|
| Linux | x86_64 | echoax-v0.1.6-x86_64-unknown-linux-gnu.tar.gz |
| Linux | aarch64 | echoax-v0.1.6-aarch64-unknown-linux-gnu.tar.gz |
| macOS | Intel | echoax-v0.1.6-x86_64-apple-darwin.tar.gz |
| macOS | Apple Silicon | echoax-v0.1.6-aarch64-apple-darwin.tar.gz |
# Example: Linux x86_64
curl -fsSL https://github.com/YoRHa-Agents/EchoAccess/releases/latest/download/echoax-v0.1.6-x86_64-unknown-linux-gnu.tar.gz | tar xz
sudo mv echoax-*/echo_access /usr/local/bin/echo_access
From Source
Requirements: Rust 1.94+ with cargo.
git clone https://github.com/YoRHa-Agents/EchoAccess.git
cd EchoAccess
cargo build --release -p echoax-cli
The binary is produced at target/release/echo_access.
Verify Installation
echo_access --help
Quick Start
1. Launch the Web Dashboard
echo_access
This starts the web server on port 9876 and opens your browser automatically. If the server is already running, it simply opens the browser to the existing instance.
2. Initialize
echo_access init
This creates the config directory at ~/.config/echoax/ with default settings.
3. Create a Device Profile
Create a profile at ~/.config/echoax/profiles/my-device.toml:
[device]
os = "linux"
role = "server"
hostname = "my-server"
[[sync_rules]]
source = "ssh/config"
target = "~/.ssh/config"
transforms = []
masked_fields = []
4. Validate the Profile
echo_access profile validate ~/.config/echoax/profiles/my-device.toml
5. Check Status
echo_access status
6. Sync
echo_access sync upload # Push local configs to cloud
echo_access sync download # Pull configs from cloud
echo_access sync check # Check for differences
7. TUI Mode
echo_access tui
Launches the NieR: Automata-styled terminal dashboard for interactive use.
Configuration
EchoAccess configuration lives at ~/.config/echoax/config.toml.
Config File Structure
[general]
language = "en"
auto_start = false
log_level = "info"
port = 9876
[session]
timeout_secs = 900
auto_lock = true
[trigger]
hotkey = "ctrl+shift+s"
on_login = false
[cloud]
enabled = true
endpoint = "https://echo-access-data.oss-cn-beijing.aliyuncs.com"
region = "cn-beijing"
bucket = "echo-access-data"
access_key_id = "AKIAIOSFODNN7EXAMPLE"
secret_access_key = "SECRET"
sync_interval_secs = 3600
[update]
auto_check = true
check_interval_hours = 24
channel = "stable"
Config Sections
[general]
language: UI language (default: "en")auto_start: Start EchoAccess on system loginlog_level: Logging verbosity: trace, debug, info, warn, errorport: Web UI listen port (default: 9876). Changes take effect after restart.
[session]
timeout_secs: Auto-lock session after N seconds of inactivity (default: 900)auto_lock: Enable session auto-lock
[cloud]
enabled: Enable cloud syncendpoint: S3-compatible storage endpointregion: Storage region or provider-specific region hintbucket: Bucket or container nameaccess_key_id: Access key identifier for authenticated accesssecret_access_key: Secret access key used with the access key idsync_interval_secs: Automatic sync interval
When cloud sync is enabled, the Web UI validates that endpoint, bucket, access_key_id, and secret_access_key are all present before testing the configuration.
View Configuration
echo_access config show # Display current config
echo_access config path # Show config file location
Device Profiles
Each device has a TOML profile that declares which files to sync and how to handle platform differences.
Profile Structure
[device]
os = "linux" # linux, macos, windows
role = "server" # server, desktop, dev, edge
hostname = "srv-01" # Unique device identifier
[[sync_rules]]
source = "ssh/config.base" # Source file in cloud storage
target = "~/.ssh/config" # Target path on this device
transforms = ["strip_gui_hosts"] # Transform pipeline
masked_fields = ["Host desktop-*"] # Fields to mask on this device
[sync_rules.field_overrides]
"user.email" = "ops@company.com" # Per-device field values
Sync Rules
Each [[sync_rules]] entry defines one file to synchronize:
| Field | Type | Description |
|---|---|---|
source | String | Path in cloud storage |
target | String | Local file path (supports ~) |
transforms | String[] | Ordered list of transform names |
masked_fields | String[] | Fields hidden on this device |
field_overrides | Map | Key-value overrides per device |
Managing Profiles
echo_access profile list # List all profiles
echo_access profile show <name> # Display profile details
echo_access profile validate <path> # Validate TOML syntax + rules
Sync Workflow
How Sync Works
EchoAccess uses a three-state model for synchronization:
- Source State: The intended configuration (from profile + cloud storage)
- Target State: The rendered result after applying transforms and overrides
- Actual State: What currently exists on disk
The sync engine compares these states and generates a plan:
Source (cloud) → Transform → Target (expected) → Diff → Actual (disk)
↓
Approval Queue
Conflict Resolution
When both local and cloud copies have changed, EchoAccess performs a 3-way merge:
- Clean merge: Changes don't overlap — applied automatically
- Conflict: Changes overlap — queued for user approval
Approval Queue
Local modifications are not automatically uploaded. They enter an approval queue:
echo_access sync check # See pending changes
echo_access sync upload # Upload approved changes
echo_access sync download # Download from cloud
Triggers
Sync can be triggered three ways:
- File watcher: Automatically detects config file changes
- Scheduler: Periodic sync at configurable intervals
- Manual: Via CLI commands or TUI actions
Encryption
EchoAccess provides two layers of encryption for sensitive configuration files.
File-Level Encryption (age)
Entire files (like SSH private keys) are encrypted using the age encryption format with a passphrase:
Original file → age encrypt (passphrase) → Encrypted blob (stored in cloud)
The passphrase derives a master key via argon2 KDF.
Field-Level Encryption (AES-256-GCM)
For structured config files (TOML, YAML, JSON), individual fields can be encrypted while keeping the file structure readable:
[database]
host = "db.example.com" # plaintext
password = "ENC[AES256-GCM:base64data]" # encrypted field
Field encryption uses the field's path (e.g., database.password) as Additional Authenticated Data (AAD), preventing field-swap attacks.
Session Management
Access to encrypted files requires an unlocked session:
echo_access unlock # Unlock with master password
echo_access lock # Lock session (clears key from memory)
The session auto-locks after the configured timeout (default: 15 minutes).
Security Properties
| Property | Implementation |
|---|---|
| Key derivation | argon2id (memory-hard) |
| File encryption | age passphrase mode |
| Field encryption | AES-256-GCM with AAD |
| Key storage | Memory-only (never written to disk) |
| Session timeout | Configurable auto-lock |
CLI Reference
Usage
echo_access [OPTIONS] [COMMAND]
Running echo_access without any command starts the Web UI dashboard.
Global Flags
| Flag | Description |
|---|---|
--verbose | Enable verbose output |
--quiet | Suppress non-error output |
--config <PATH> | Override config file path |
Commands
echo_access web
Start the Web UI dashboard (this is also the default when no command is given).
| Flag | Description |
|---|---|
--port <PORT> | Port to listen on (default: 9876) |
--no-open | Don't auto-open the browser |
echo_access tui
Launch the NieR: Automata-styled TUI terminal dashboard.
echo_access init
Initialize EchoAccess on the current device. Creates ~/.config/echoax/ directory structure.
echo_access status
Display current sync status, session state, and cloud connection.
echo_access sync
| Subcommand | Description |
|---|---|
sync upload | Upload approved local changes to cloud |
sync download | Download latest configs from cloud |
sync check | Check for differences without syncing |
echo_access profile
| Subcommand | Description |
|---|---|
profile list | List all configured device profiles |
profile show <name> | Display profile details |
profile validate <path> | Validate a TOML profile file |
echo_access config
| Subcommand | Description |
|---|---|
config show | Display current configuration |
config path | Print config directory path |
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | General error |