cookiesync-cli 0.1.0__py3-none-any.whl

cookiesync/daemon/sync.py

@@ -0,0 +1,241 @@
+"""The sync merge pass: gather every endpoint's cookies, union newest-wins, idempotently apply.
+
+``converge`` runs one merge pass for a single tracked browser group. It decrypts this
+host's cookies (via the cached Safe Storage key — never prompting here), pulls each peer's
+decrypted cookies over ssh, merges with the pure union newest-wins rule, then writes the
+merged set back to any endpoint whose rows differ — preserving the winning
+``last_update_utc`` and recording the applied digest with the watch engine *before* the
+write, so the induced filesystem event is recognized as a self-echo and skipped.
+
+Cookie ``last_update_utc`` is absolute Chrome time (microseconds since 1601 UTC) and is
+host-independent, so a raw newest-wins comparison is convergent across NTP-synced tailnet
+machines without any clock-skew correction. The merge preserves each winner's original
+``last_update_utc`` on every host, so the anti-echo digest the watch engine records matches
+the store's fingerprint after the write.
+
+``reconcile`` is the time-based backup: ``converge`` over every tracked browser group.
+
+This host and every peer are reached through the one uniform :class:`Source` seam
+(``extract``/``apply``), so the merge logic runs in unit tests against fakes — with the
+sources injected — without ssh or a real cookie store.
+"""
+
+from __future__ import annotations
+
+from collections import defaultdict
+from dataclasses import dataclass
+from typing import TYPE_CHECKING, Protocol
+
+from cookiesync.cookie import merge
+from cookiesync.daemon.engine import logical_digest
+
+if TYPE_CHECKING:
+    from collections.abc import Callable, Iterable, Sequence
+
+    from cookiesync.cookie.browsers import Browser
+    from cookiesync.cookie.models import Cookie
+    from cookiesync.daemon.cache import KeyCache
+    from cookiesync.state import BrowserEndpoint, BrowserId, SshTarget
+
+
+class NeedsAuth(Exception):
+    """No cached Safe Storage key for the endpoint's browser; a prompt is required first.
+
+    Raised when ``converge`` finds the local key cache cold. ``converge`` never prompts —
+    the caller obtains consent and seeds the cache, then retries.
+    """
+
+
+class Engine(Protocol):
+    """The watch engine's anti-echo seam: record an endpoint's applied digest before writing.
+
+    Recording the digest first means the filesystem event the write induces is recognized
+    as this daemon's own and suppressed, rather than re-triggering a sync.
+    """
+
+    def record_applied(self, endpoint_id: str, digest: str) -> None: ...
+
+
+@dataclass(frozen=True, slots=True)
+class Extracted:
+    """A source's decrypted cookies for the requested browser profile."""
+
+    cookies: tuple[Cookie, ...]
+
+
+class Source(Protocol):
+    """One endpoint's cookie store, reached the same way whether it is local or a peer.
+
+    Both the in-process local source and the ssh-backed peer satisfy this seam: ``extract``
+    returns the decrypted cookies, and ``apply`` writes a merged set back. The Safe Storage
+    key never crosses this boundary — the source decrypts and re-encrypts in its own session.
+    """
+
+    async def extract(self, browser: BrowserId, profile: str) -> Extracted: ...
+
+    async def apply(self, browser: BrowserId, profile: str, cookies: Sequence[Cookie]) -> int: ...
+
+
+@dataclass(frozen=True, slots=True)
+class Gathered:
+    """One endpoint's decrypted cookies for the group, with the source that yielded them."""
+
+    endpoint: BrowserEndpoint
+    source: Source
+    cookies: tuple[Cookie, ...]
+
+
+def target_row(cookie: Cookie) -> tuple:
+    """The full logical row used to decide whether an endpoint already holds a cookie.
+
+    Covers every value-bearing field, so an idempotent apply skips only when the endpoint's
+    stored row matches the winner exactly — including its preserved ``last_update_utc``.
+    """
+    return (
+        cookie.host_key,
+        cookie.name,
+        cookie.value,
+        cookie.path,
+        int(cookie.expires_utc),
+        int(cookie.last_update_utc),
+        cookie.is_secure,
+        cookie.is_httponly,
+        cookie.samesite,
+        cookie.source_scheme,
+        cookie.source_port,
+        cookie.top_frame_site_key,
+        cookie.has_cross_site_ancestor,
+    )
+
+
+def row_set(cookies: Iterable[Cookie]) -> frozenset[tuple]:
+    return frozenset(target_row(c) for c in cookies)
+
+
+async def gather(endpoint: BrowserEndpoint, source: Source) -> Gathered:
+    extracted = await source.extract(endpoint.browser, endpoint.profile)
+    return Gathered(endpoint, source, extracted.cookies)
+
+
+async def apply_to(gathered: Gathered, merged: tuple[Cookie, ...], *, engine: Engine) -> bool:
+    if row_set(merged) == row_set(gathered.cookies):
+        return False
+    engine.record_applied(gathered.endpoint.id, logical_digest(merged))
+    await gathered.source.apply(gathered.endpoint.browser, gathered.endpoint.profile, merged)
+    return True
+
+
+async def converge(
+    endpoint: BrowserEndpoint,
+    peers: Sequence[BrowserEndpoint],
+    *,
+    origin: SshTarget | None = None,
+    self_target: SshTarget,
+    cache: KeyCache,
+    engine: Engine,
+    local_source: Source,
+    source_for: Callable[[SshTarget], Source],
+) -> tuple[Cookie, ...]:
+    """Merge one browser group across this host and its peers, then idempotently apply.
+
+    Gathers ``endpoint``'s decrypted cookies through ``local_source`` (the consent gate is
+    the caller's; a cold key cache raises :class:`NeedsAuth` rather than prompting) and each
+    peer's cookies through ``source_for(peer.host)``, skipping ``origin`` so a sync is never
+    echoed straight back to the host that triggered it. The union newest-wins
+    :func:`~cookiesync.cookie.merge` selects per cookie by raw ``last_update_utc`` — absolute
+    Chrome time, host-independent and convergent on NTP-synced machines — and the result is
+    written to any endpoint whose stored rows differ, preserving the winning
+    ``last_update_utc`` and recording the applied digest with ``engine`` *before* the write,
+    so the induced filesystem event is suppressed. Same-machine endpoints converge through
+    ``local_source`` in-process, with no ssh.
+
+    Args:
+        endpoint: This host's local endpoint for the browser group.
+        peers: The other tracked endpoints for the same browser, local or remote.
+        origin: The host that triggered this sync, skipped to avoid an echo; ``None`` for a
+            time-based reconcile that touches every endpoint.
+        self_target: This host's own ssh target; endpoints on it converge in-process.
+        cache: The short-TTL key cache; a cold entry for ``endpoint`` raises
+            :class:`NeedsAuth`.
+        engine: The watch engine, told the applied digest before each write.
+        local_source: This machine's cookie source (extract/apply behind the consent gate).
+        source_for: Builds the :class:`Source` for a peer target; injected for tests.
+
+    Returns:
+        The merged cookie set that was reconciled across the group.
+
+    Raises:
+        NeedsAuth: The local key cache is cold for ``endpoint``; obtain consent and retry.
+
+    Example:
+        >>> await converge(local, peers, self_target=self, cache=cache, engine=engine,
+        ...                local_source=local, source_for=lambda t: SshBackend(t, origin=self))
+    """
+    if await cache.get(endpoint.id) is None:
+        raise NeedsAuth(f"no cached key for {endpoint.id}; obtain consent before converging")
+    sources = [
+        (endpoint, local_source),
+        *(
+            (peer, local_source if peer.host == self_target else source_for(peer.host))
+            for peer in peers
+            if peer.host != origin
+        ),
+    ]
+    gathered = [await gather(ep, src) for ep, src in sources]
+    merged = merge(*(g.cookies for g in gathered))
+    for g in gathered:
+        await apply_to(g, merged, engine=engine)
+    return merged
+
+
+async def reconcile(
+    endpoints: Sequence[BrowserEndpoint],
+    *,
+    self_target: SshTarget,
+    registry: dict[BrowserId, Browser],
+    cache: KeyCache,
+    engine: Engine,
+    local_source: Source,
+    source_for: Callable[[SshTarget], Source],
+) -> dict[str, tuple[Cookie, ...]]:
+    """The time-based backup: ``converge`` over every tracked browser group.
+
+    Groups ``endpoints`` by browser, anchors each group on this host's local endpoint, and
+    runs :func:`converge` with no ``origin`` so every endpoint is reconciled. A group with no
+    local endpoint on this host is skipped — there is nothing here to merge from.
+
+    Args:
+        endpoints: Every tracked endpoint across all hosts and browsers.
+        self_target: This host's own ssh target.
+        registry: The browser registry, mapping each :class:`~cookiesync.state.BrowserId` to
+            its :class:`~cookiesync.cookie.browsers.Browser`; the anchored group is skipped
+            when its browser is not registered.
+        cache: The short-TTL key cache.
+        engine: The watch engine, told each applied digest before its write.
+        local_source: This machine's cookie source.
+        source_for: Builds the :class:`Source` for a peer target; injected for tests.
+
+    Returns:
+        Each anchored endpoint's id mapped to the merged set reconciled for its group.
+
+    Example:
+        >>> await reconcile(endpoints, self_target=self, registry=REGISTRY, cache=cache,
+        ...                 engine=engine, local_source=local, source_for=make_ssh_source)
+    """
+    groups: dict[BrowserId, list[BrowserEndpoint]] = defaultdict(list)
+    for endpoint in endpoints:
+        groups[endpoint.browser].append(endpoint)
+    results: dict[str, tuple[Cookie, ...]] = {}
+    for browser_id, group in groups.items():
+        if browser_id not in registry or (anchor := next((e for e in group if e.host == self_target), None)) is None:
+            continue
+        results[anchor.id] = await converge(
+            anchor,
+            [e for e in group if e is not anchor],
+            self_target=self_target,
+            cache=cache,
+            engine=engine,
+            local_source=local_source,
+            source_for=source_for,
+        )
+    return results

cookiesync/daemon/wire.py

@@ -0,0 +1,90 @@
+"""The newline-delimited JSON wire format the daemon RPC speaks.
+
+One ``Request`` line in, one ``Response`` line out, then the connection closes.
+``Cookie`` objects cross the wire as the JSON-safe dict ``dataclasses.asdict``
+produces, since every ``Cookie`` field is a ``str``/``int``/``bool``.
+"""
+
+from __future__ import annotations
+
+import dataclasses
+import json
+from dataclasses import dataclass, field
+
+from cookiesync.cookie import Cookie
+from cookiesync.cookie.models import ChromeMicros, HostKey
+
+
+@dataclass(frozen=True, slots=True)
+class Request:
+    """A single daemon command, encoded as one JSON line.
+
+    Example:
+        >>> Request("status", {"endpoint": "host:chrome:Default"})
+    """
+
+    method: str
+    params: dict = field(default_factory=dict)
+
+
+@dataclass(frozen=True, slots=True)
+class Response:
+    """The daemon's reply to one ``Request``, encoded as one JSON line.
+
+    ``error`` is set only when the request failed; ``result`` carries the handler's
+    return on success.
+
+    Example:
+        >>> Response(ok=True, result={"applied": 3})
+    """
+
+    ok: bool
+    result: dict | list | None = None
+    error: str | None = None
+
+
+def cookie_to_wire(cookie: Cookie) -> dict:
+    """A ``Cookie`` as the JSON-safe dict that crosses the wire."""
+    return dataclasses.asdict(cookie)
+
+
+def cookie_from_wire(data: dict) -> Cookie:
+    """A wire dict back into a ``Cookie``, re-branding its primitive fields."""
+    return Cookie(
+        host_key=HostKey(data["host_key"]),
+        name=data["name"],
+        value=data["value"],
+        path=data["path"],
+        expires_utc=ChromeMicros(data["expires_utc"]),
+        last_update_utc=ChromeMicros(data["last_update_utc"]),
+        creation_utc=ChromeMicros(data["creation_utc"]),
+        is_secure=data["is_secure"],
+        is_httponly=data["is_httponly"],
+        samesite=data["samesite"],
+        source_scheme=data["source_scheme"],
+        source_port=data["source_port"],
+        top_frame_site_key=data["top_frame_site_key"],
+        has_cross_site_ancestor=data["has_cross_site_ancestor"],
+    )
+
+
+def encode_request(req: Request) -> bytes:
+    """A ``Request`` as one newline-terminated JSON line."""
+    return json.dumps({"method": req.method, "params": req.params}).encode() + b"\n"
+
+
+def decode_request(line: bytes) -> Request:
+    """One JSON line back into a ``Request``."""
+    data = json.loads(line)
+    return Request(method=data["method"], params=data.get("params", {}))
+
+
+def encode_response(resp: Response) -> bytes:
+    """A ``Response`` as one newline-terminated JSON line."""
+    return json.dumps({"ok": resp.ok, "result": resp.result, "error": resp.error}).encode() + b"\n"
+
+
+def decode_response(line: bytes) -> Response:
+    """One JSON line back into a ``Response``."""
+    data = json.loads(line)
+    return Response(ok=data["ok"], result=data.get("result"), error=data.get("error"))

cookiesync/helper.py

@@ -0,0 +1,112 @@
+"""Install and classify the signed Secure-Enclave key helper ``.app``.
+
+``cookiesync install`` installs the helper through Homebrew —
+``brew install yasyf/tap/cookiesync-keyhelper`` against the shared central tap. Homebrew
+downloads the release asset, verifies its checksum, and lays the stapled, notarized
+``.app`` down in the cask appdir; cookiesync then asserts the installed bundle carries a
+valid Developer-ID anchor before trusting it. An ad-hoc, unsigned, or wrong-anchor bundle
+is refused — macOS 15/26 SIGKILL an ad-hoc signature at exec and refuse it the Secure
+Enclave.
+
+The Developer-ID anchor check is the same designated-requirement OID
+(``1.2.840.113635.100.6.2.6``) the release workflow seals against, so a bundle that
+``codesign --verify --strict`` would pass on its own (e.g. an ad-hoc signature) still
+classifies as ``UNSIGNED`` here.
+"""
+
+from __future__ import annotations
+
+import re
+import shutil
+from enum import Enum
+from pathlib import Path
+
+import anyio
+
+from cookiesync import paths
+
+CODESIGN = "/usr/bin/codesign"
+DEVELOPER_ID_REQUIREMENT = "anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists"
+BREW_CASK = "yasyf/tap/cookiesync-keyhelper"
+PROBE_VAULT = "cookiesync-doctor-probe"
+CONTRACT_LINE = re.compile(rb"^biometry=(?:true|false) passcode=(?:true|false) vault=(?:true|false)$", re.MULTILINE)
+
+
+class HelperState(Enum):
+    OK = "ok"
+    UNSIGNED = "unsigned"
+    MISSING = "missing"
+
+
+class HelperInstallError(Exception):
+    """The signed key helper could not be installed or verified."""
+
+
+async def developer_id_signed(app_path: Path) -> bool:
+    """Whether ``app_path`` has an intact signature anchored to Apple's Developer ID.
+
+    Runs ``codesign --verify --strict`` with the Developer-ID designated-requirement
+    OID, so an ad-hoc or wrong-anchor signature (which a bare ``--verify`` would accept)
+    returns ``False``.
+    """
+    result = await anyio.run_process(
+        [CODESIGN, "--verify", "--strict", "-R", DEVELOPER_ID_REQUIREMENT, str(app_path)],
+        check=False,
+    )
+    return result.returncode == 0
+
+
+async def helper_state() -> HelperState:
+    """Classify the installed key helper as ``OK`` (Developer-ID signed), ``UNSIGNED``, or ``MISSING``."""
+    if not paths.helper_binary().is_file():
+        return HelperState.MISSING
+    return HelperState.OK if await developer_id_signed(paths.helper_app_path()) else HelperState.UNSIGNED
+
+
+async def supports_contract() -> bool:
+    """Whether the installed helper honours the key-helper subcommand contract cookiesync depends on.
+
+    The cask version can lag the package version, and cookiesync resolves the helper by name,
+    so a stale or incompatible bundle may sit at the expected path. Runs the read-only
+    ``vault-status`` subcommand against a fake vault — it never triggers a Touch ID prompt —
+    and passes iff the helper exits 0 and emits the documented
+    ``biometry=<bool> passcode=<bool> vault=<bool>`` contract line.
+    """
+    result = await anyio.run_process(
+        [str(paths.helper_binary()), "vault-status", PROBE_VAULT],
+        check=False,
+    )
+    return result.returncode == 0 and CONTRACT_LINE.search(result.stdout) is not None
+
+
+async def install_helper() -> Path:
+    """Install the signed Secure-Enclave key helper via Homebrew, then verify its Developer-ID anchor.
+
+    Runs ``brew install yasyf/tap/cookiesync-keyhelper`` — Homebrew downloads the release
+    asset, checksum-verifies it, and lays the stapled, notarized ``.app`` into the cask
+    appdir — then locates the installed bundle and asserts it is Developer-ID signed. Raises
+    :class:`HelperInstallError` if Homebrew is absent, the install fails, the bundle cannot
+    be located, or the anchor check fails: an unverified bundle is never trusted.
+
+    Returns:
+        The installed ``cookiesync-keyhelper.app`` path.
+    """
+    if (brew := shutil.which("brew")) is None:
+        raise HelperInstallError(
+            "Homebrew is required to install the signed key helper; install it from "
+            "https://brew.sh, then rerun 'cookiesync install'"
+        )
+    result = await anyio.run_process([brew, "install", "--cask", BREW_CASK], check=False)
+    if result.returncode != 0:
+        raise HelperInstallError(f"'brew install --cask {BREW_CASK}' failed: {result.stderr.decode().strip()}")
+    app_path = paths.helper_app_path()
+    if not await anyio.Path(app_path).is_dir():
+        raise HelperInstallError(
+            f"'brew install --cask {BREW_CASK}' reported success but no bundle is present at {app_path}"
+        )
+    if not await developer_id_signed(app_path):
+        raise HelperInstallError(
+            f"refusing to trust {app_path.name}: it is not Developer-ID-signed "
+            "(codesign --verify --strict and the Developer-ID anchor must both pass)"
+        )
+    return app_path

cookiesync/paths.py

@@ -0,0 +1,87 @@
+"""On-disk locations for cookiesync's config dir, state file, RPC socket, reconcile lock, and signed helper.
+
+The config dir honours ``XDG_CONFIG_HOME`` (falling back to ``~/.config``) and holds a
+``cookiesync`` subdirectory shared by every writer of ``state.json``. The signed
+Secure-Enclave helper ships as a Homebrew cask (``yasyf/tap/cookiesync-keyhelper``) and
+installs its ``.app`` into the Homebrew cask appdir — ``/Applications`` by default, or
+``~/Applications`` when brew runs without admin rights.
+"""
+
+from __future__ import annotations
+
+import os
+from pathlib import Path
+
+CONFIG_SUBDIR = "cookiesync"
+DATA_SUBDIR = "cookiesync"
+STATE_FILE = "state.json"
+SOCK_FILE = "rpc.sock"
+LOCK_FILE = "reconcile.lock"
+HELPER_APP = "cookiesync-keyhelper.app"
+HELPER_EXECUTABLE = "cookiesync-keyhelper"
+
+
+class HelperError(Exception):
+    """The signed Secure-Enclave helper is not installed; run ``cookiesync install`` to fetch it."""
+
+
+def config_dir() -> Path:
+    """The cookiesync config directory under ``XDG_CONFIG_HOME`` or ``~/.config``."""
+    return Path(os.environ.get("XDG_CONFIG_HOME") or Path.home() / ".config") / CONFIG_SUBDIR
+
+
+def data_dir() -> Path:
+    """The cookiesync data directory under ``XDG_DATA_HOME`` or ``~/.local/share``."""
+    return Path(os.environ.get("XDG_DATA_HOME") or Path.home() / ".local" / "share") / DATA_SUBDIR
+
+
+def cask_app_dirs() -> tuple[Path, ...]:
+    """The Homebrew cask appdirs an ``app`` stanza may install into, most-specific first."""
+    return Path("/Applications"), Path.home() / "Applications"
+
+
+def helper_app_path() -> Path:
+    """The cask-installed ``cookiesync-keyhelper.app`` bundle path.
+
+    ``brew install yasyf/tap/cookiesync-keyhelper`` moves the signed ``.app`` into the
+    Homebrew cask appdir — ``/Applications`` by default, or ``~/Applications`` when brew
+    runs without admin rights. Returns the first appdir that holds the bundle, falling back
+    to the default appdir so a not-yet-installed helper still reports a stable path.
+    """
+    dirs = cask_app_dirs()
+    return next((app for d in dirs if (app := d / HELPER_APP).is_dir()), dirs[0] / HELPER_APP)
+
+
+def helper_binary() -> Path:
+    """The signed helper's inner executable, e.g. ``…/cookiesync-keyhelper.app/Contents/MacOS/cookiesync-keyhelper``."""
+    return helper_app_path() / "Contents" / "MacOS" / HELPER_EXECUTABLE
+
+
+def require_helper() -> Path:
+    """The signed helper executable, or raise :class:`HelperError` if it is not installed.
+
+    The Secure-Enclave key vault and key cache run inside a Developer-ID-signed,
+    notarized ``.app``; an ad-hoc build is SIGKILLed at exec by AMFI and cannot touch
+    the Enclave. Callers fail closed on a missing helper rather than degrading to an
+    unsigned fallback.
+    """
+    if not (binary := helper_binary()).is_file():
+        raise HelperError(
+            f"cookiesync key helper not found at {binary}; run 'cookiesync install' to fetch the signed helper"
+        )
+    return binary
+
+
+def state_path() -> Path:
+    """The ``state.json`` file holding this host's cookiesync configuration."""
+    return config_dir() / STATE_FILE
+
+
+def sock_path() -> Path:
+    """The daemon's RPC unix socket."""
+    return config_dir() / SOCK_FILE
+
+
+def lock_path() -> Path:
+    """The reconcile lock file every cross-process ``state.json`` writer serializes on."""
+    return config_dir() / LOCK_FILE

cookiesync/registry.py

@@ -0,0 +1,79 @@
+"""Bridge to the ``reposync`` host registry over its ``--json`` contract.
+
+``reposync host ls --json`` and ``reposync self --json`` emit a versioned envelope
+(``{"version": 1, "self": ..., "hosts": [...]}``); we pin ``version == 1`` and fail
+loud on any drift so a contract change can never be silently mis-parsed.
+"""
+
+from __future__ import annotations
+
+import json
+from subprocess import CalledProcessError
+from typing import TYPE_CHECKING
+
+import anyio
+
+from cookiesync.state import SshTarget
+
+if TYPE_CHECKING:
+    from collections.abc import Sequence
+
+REGISTRY_VERSION = 1
+
+
+class RegistryError(Exception):
+    """The ``reposync`` registry could not be read or violated its ``--json`` contract."""
+
+
+async def _reposync(*args: str) -> dict:
+    cmd = f"reposync {' '.join(args)}"
+    try:
+        proc = await anyio.run_process(["reposync", *args])
+    except FileNotFoundError as exc:
+        raise RegistryError("reposync is not installed or not on PATH") from exc
+    except CalledProcessError as exc:
+        raise RegistryError(f"{cmd} failed: {exc.stderr.decode().strip() or f'exit {exc.returncode}'}") from exc
+    try:
+        payload = json.loads(proc.stdout)
+    except json.JSONDecodeError as exc:
+        raise RegistryError(f"{cmd} emitted non-JSON output") from exc
+    match payload:
+        case {"version": version, **rest} if version == REGISTRY_VERSION:
+            return rest
+        case {"version": version}:
+            raise RegistryError(f"{cmd} reported version {version}, expected {REGISTRY_VERSION}")
+        case _:
+            raise RegistryError(f"{cmd} omitted the version field")
+
+
+def _targets(hosts: Sequence[str]) -> tuple[SshTarget, ...]:
+    return tuple(SshTarget(host) for host in hosts)
+
+
+async def reposync_registry() -> tuple[SshTarget, tuple[SshTarget, ...]]:
+    """The local target and every peer host, parsed from ``reposync host ls --json``.
+
+    Returns:
+        A ``(self_target, peer_hosts)`` pair; ``peer_hosts`` is empty when this host
+        stands alone.
+
+    Raises:
+        RegistryError: The envelope is missing or pins a version other than ``1``.
+
+    Example:
+        >>> self_target, hosts = await reposync_registry()
+    """
+    data = await _reposync("host", "ls", "--json")
+    return SshTarget(data["self"]), _targets(data["hosts"])
+
+
+async def reposync_self() -> SshTarget:
+    """This machine's own SSH target, parsed from ``reposync self --json``.
+
+    Raises:
+        RegistryError: The envelope is missing or pins a version other than ``1``.
+
+    Example:
+        >>> await reposync_self()
+    """
+    return SshTarget((await _reposync("self", "--json"))["self"])