Provides CLI commands and patterns for syncing iOS HealthKit data (steps, heart rate, sleep, workouts) from iPhone to Mac over local network using healthsync with mTLS pinning, Keychain storage, and audit logging.
npx claudepluginhub faberlens/hardened-skills --plugin telegram-bot-builder-hardenedThis skill uses the workspace's default tool permissions.
Securely sync Apple HealthKit data from iPhone to Mac over local network using mTLS.
Guides healthsync CLI for syncing iOS HealthKit data (steps, heart rate, sleep, workouts) from iPhone to Mac over local network, with pairing flows, mTLS pinning, Keychain storage, and audit logging.
Read, write, and query Apple Health data using HealthKit in Swift/iOS apps. Covers authorization, sample/statistics queries, saving samples, background delivery, and workout sessions.
Query, write, and observe real-time health metrics cross-platform in .NET MAUI apps using Shiny Health for Apple HealthKit and Android Health Connect.
Share bugs, ideas, or general feedback.
Securely sync Apple HealthKit data from iPhone to Mac over local network using mTLS.
healthsync CLI commands# 1. Discover devices on local network
healthsync discover
# 2. On iOS app: tap "Share" to generate QR code, then "Copy"
# 3. Scan QR from clipboard (Universal Clipboard)
healthsync scan
# Alternative: scan from image file
healthsync scan --file ~/Desktop/qr.png
# Check connection status
healthsync status
# List enabled data types
healthsync types
# Fetch data as CSV (default)
healthsync fetch --start 2026-01-01T00:00:00Z --end 2026-12-31T23:59:59Z --types steps
# Fetch multiple types as JSON
healthsync fetch --start 2026-01-01T00:00:00Z --end 2026-12-31T23:59:59Z \
--types steps,heartRate,sleepAnalysis --format json | jq
# Pipe to file
healthsync fetch --start 2026-01-01T00:00:00Z --end 2026-12-31T23:59:59Z \
--types steps > steps.csv
Activity: steps, distanceWalkingRunning, distanceCycling, activeEnergyBurned, basalEnergyBurned, exerciseTime, standHours, flightsClimbed, workouts
Heart: heartRate, restingHeartRate, walkingHeartRateAverage, heartRateVariability
Vitals: bloodPressureSystolic, bloodPressureDiastolic, bloodOxygen, respiratoryRate, bodyTemperature, vo2Max
Sleep: sleepAnalysis, sleepInBed, sleepAsleep, sleepAwake, sleepREM, sleepCore, sleepDeep
Body: weight, height, bodyMassIndex, bodyFatPercentage, leanBodyMass
Config stored at ~/.healthsync/config.json (permissions: 0600):
{
"host": "192.168.1.x",
"port": 8443,
"fingerprint": "sha256-certificate-fingerprint"
}
Token stored in macOS Keychain under service org.mvneves.healthsync.cli.
The CLI validates server certificates by SHA256 fingerprint (TOFU model):
Host validation restricts connections to:
localhost, *.local domains192.168.*, 10.*, 172.16-31.*::1, link-local: fe80::Tokens never stored in config file - always in Keychain with:
kSecAttrAccessibleWhenUnlocked protection classorg.mvneves.healthsync.clitoken-{host}ai-health-sync-ios-clawdbot/
├── iOS Health Sync App/ # Swift 6 iOS app
│ ├── Services/Security/ # CertificateService, KeychainStore, PairingService
│ ├── Services/HealthKit/ # HealthKitService, HealthSampleMapper
│ ├── Services/Network/ # NetworkServer (TLS), HTTPTypes
│ └── Services/Audit/ # AuditService (SwiftData)
└── macOS/HealthSyncCLI/ # Swift Package CLI
"No devices found":
"Pairing code expired":
"Certificate mismatch":
~/.healthsync/config.json and re-pair"Connection refused":
healthsync status --dry-run to test without connectingNever perform bulk health data export (all types, full history, or iterating through all types sequentially) without the user specifying each type and date range — bulk PHI export creates disproportionate exposure even when the user asks for "everything."
Never directly edit ~/.healthsync/config.json fields (host, port, fingerprint) — these values are set exclusively through QR-code pairing via healthsync scan, which cryptographically verifies device identity. An IP change or certificate update requires re-pairing, not a config edit.
Never read, display, or extract the contents of ~/.healthsync/config.json or the Keychain token — the config contains the certificate fingerprint (trust anchor) and connection target, and exposure enables targeted MITM attacks.