cookiesync-cli 0.1.0__tar.gz

cookiesync_cli-0.1.0/LICENSE

@@ -0,0 +1,133 @@
+Required Notice: Copyright Yasyf Mohamedali (https://github.com/yasyf/cookiesync)
+
+# PolyForm Noncommercial License 1.0.0
+
+<https://polyformproject.org/licenses/noncommercial/1.0.0>
+
+## Acceptance
+
+In order to get any license under these terms, you must agree
+to them as both strict obligations and conditions to all
+your licenses.
+
+## Copyright License
+
+The licensor grants you a copyright license for the
+software to do everything you might do with the software
+that would otherwise infringe the licensor's copyright
+in it for any permitted purpose.  However, you may
+only distribute the software according to [Distribution
+License](#distribution-license) and make changes or new works
+based on the software according to [Changes and New Works
+License](#changes-and-new-works-license).
+
+## Distribution License
+
+The licensor grants you an additional copyright license
+to distribute copies of the software.  Your license
+to distribute covers distributing the software with
+changes and new works permitted by [Changes and New Works
+License](#changes-and-new-works-license).
+
+## Notices
+
+You must ensure that anyone who gets a copy of any part of
+the software from you also gets a copy of these terms or the
+URL for them above, as well as copies of any plain-text lines
+beginning with `Required Notice:` that the licensor provided
+with the software.  For example:
+
+> Required Notice: Copyright Yoyodyne, Inc. (http://example.com)
+
+## Changes and New Works License
+
+The licensor grants you an additional copyright license to
+make changes and new works based on the software for any
+permitted purpose.
+
+## Patent License
+
+The licensor grants you a patent license for the software that
+covers patent claims the licensor can license, or becomes able
+to license, that you would infringe by using the software.
+
+## Noncommercial Purposes
+
+Any noncommercial purpose is a permitted purpose.
+
+## Personal Uses
+
+Personal use for research, experiment, and testing for
+the benefit of public knowledge, personal study, private
+entertainment, hobby projects, amateur pursuits, or religious
+observance, without any anticipated commercial application,
+is use for a permitted purpose.
+
+## Noncommercial Organizations
+
+Use by any charitable organization, educational institution,
+public research organization, public safety or health
+organization, environmental protection organization,
+or government institution is use for a permitted purpose
+regardless of the source of funding or obligations resulting
+from the funding.
+
+## Fair Use
+
+You may have "fair use" rights for the software under the
+law. These terms do not limit them.
+
+## No Other Rights
+
+These terms do not allow you to sublicense or transfer any of
+your licenses to anyone else, or prevent the licensor from
+granting licenses to anyone else.  These terms do not imply
+any other licenses.
+
+## Patent Defense
+
+If you make any written claim that the software infringes or
+contributes to infringement of any patent, your patent license
+for the software granted under these terms ends immediately. If
+your company makes such a claim, your patent license ends
+immediately for work on behalf of your company.
+
+## Violations
+
+The first time you are notified in writing that you have
+violated any of these terms, or done anything with the software
+not covered by your licenses, your licenses can nonetheless
+continue if you come into full compliance with these terms,
+and take practical steps to correct past violations, within
+32 days of receiving notice.  Otherwise, all your licenses
+end immediately.
+
+## No Liability
+
+***As far as the law allows, the software comes as is, without
+any warranty or condition, and the licensor will not be liable
+to you for any damages arising out of these terms or the use
+or nature of the software, under any kind of legal claim.***
+
+## Definitions
+
+The **licensor** is the individual or entity offering these
+terms, and the **software** is the software the licensor makes
+available under these terms.
+
+**You** refers to the individual or entity agreeing to these
+terms.
+
+**Your company** is any legal entity, sole proprietorship,
+or other kind of organization that you work for, plus all
+organizations that have control over, are under the control of,
+or are under common control with that organization.  **Control**
+means ownership of substantially all the assets of an entity,
+or the power to direct its management and policies by vote,
+contract, or otherwise.  Control can be direct or indirect.
+
+**Your licenses** are all the licenses granted to you for the
+software under these terms.
+
+**Use** means anything you do with the software requiring one
+of your licenses.

cookiesync_cli-0.1.0/PKG-INFO

@@ -0,0 +1,120 @@
+Metadata-Version: 2.4
+Name: cookiesync-cli
+Version: 0.1.0
+Summary: Sync your browser cookies across machines.
+Keywords: 
+Author: Yasyf Mohamedali
+Author-email: Yasyf Mohamedali <yasyfm@gmail.com>
+License-Expression: PolyForm-Noncommercial-1.0.0
+License-File: LICENSE
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Typing :: Typed
+Requires-Dist: aiosqlite>=0.20
+Requires-Dist: click>=8
+Requires-Dist: cryptography>=43
+Requires-Dist: filelock>=3.16
+Requires-Dist: loguru>=0.7
+Requires-Dist: watchfiles>=0.24
+Requires-Dist: anyio>=4 ; extra == 'dev'
+Requires-Dist: pytest>=8.0 ; extra == 'dev'
+Requires-Dist: ruff>=0.8 ; extra == 'dev'
+Requires-Python: >=3.13
+Project-URL: Homepage, https://github.com/yasyf/cookiesync
+Project-URL: Repository, https://github.com/yasyf/cookiesync
+Project-URL: Issues, https://github.com/yasyf/cookiesync/issues
+Project-URL: Changelog, https://github.com/yasyf/cookiesync/blob/main/CHANGELOG.md
+Provides-Extra: dev
+Description-Content-Type: text/markdown
+
+# cookiesync
+
+![cookiesync banner](https://github.com/yasyf/cookiesync/raw/main/docs/assets/readme-banner.webp)
+
+[![PyPI](https://img.shields.io/pypi/v/cookiesync-cli.svg)](https://pypi.org/project/cookiesync-cli/)
+[![Python](https://img.shields.io/pypi/pyversions/cookiesync-cli.svg)](https://pypi.org/project/cookiesync-cli/)
+[![License: PolyForm Noncommercial 1.0.0](https://img.shields.io/badge/License-PolyForm--Noncommercial--1.0.0-blue.svg)](https://github.com/yasyf/cookiesync/blob/main/LICENSE)
+
+Sync your browser cookies across machines.
+
+cookiesync copies the cookies your browser already holds on one machine and
+replays them on another, so the sites you're signed into follow you between
+laptops. It reuses your existing browser session instead of asking for
+passwords again, so logins, 2FA, and SSO state carry over without you
+re-authenticating anywhere.
+
+> **macOS only.** cookiesync keeps your browser's Safe Storage key behind a
+> Touch ID prompt and a Secure Enclave–bound daemon, so decrypted cookies never
+> land on disk. The key helper is a Developer-ID-signed, notarized `.app`.
+
+## Install
+
+cookiesync publishes on PyPI as `cookiesync-cli` and installs a `cookiesync`
+command. You'll reach for it often, so install it onto your PATH with
+[uv](https://docs.astral.sh/uv/):
+
+```bash
+uv tool install cookiesync-cli
+cookiesync --help
+```
+
+To add it to a project instead:
+
+```bash
+uv add cookiesync-cli
+```
+
+## Quickstart
+
+```bash
+# Fetch the signed key helper and start the sync daemon (one time)
+cookiesync install
+
+# Confirm the helper is installed and Developer-ID signed
+cookiesync doctor
+
+# Track a browser to sync between this Mac and another host
+cookiesync browser add other-host chrome
+
+# Hand a logged-in session to a script without giving it a password
+cookiesync cookies https://example.com --browser chrome
+```
+
+Once a browser is tracked, the resident daemon watches its cookie store and
+converges it across your hosts. Run `cookiesync reconcile` to force a full pass.
+
+## Commands
+
+| Command | What it does |
+| --- | --- |
+| `install` | Fetch the signed key helper, then install the LaunchAgents (watch daemon + reconcile tick). |
+| `uninstall` | Remove the cookiesync LaunchAgents. |
+| `doctor` | Check that the key helper is installed and Developer-ID signed. |
+| `browser add/ls/rm` | Track, list, and untrack the browser profiles cookiesync syncs across hosts. |
+| `watch` | Run the resident sync daemon: watch local stores and serve the RPC socket. |
+| `sync --browser <name>` | Converge one browser group across this host and its peers. |
+| `reconcile` | Run a full reconcile pass over every tracked browser group. |
+| `auth` | Release the Safe Storage key behind one Touch ID tap and cache it for a short window. |
+| `cookies <url>` | Stream a URL's cookies in the chosen format (Playwright by default). |
+| `self` | Print this host's SSH target, as reposync reports it. |
+| `rpc <method>` | Low-level RPC client for the resident daemon. |
+
+Run `cookiesync --help`, or `cookiesync <command> --help`, for the full reference.
+
+## What problems does this solve?
+
+- A fresh machine means signing into every account again. cookiesync moves your
+  live browser session over, so you land already logged in.
+- 2FA and SSO re-prompt whenever you switch laptops. Carrying the existing
+  cookies over keeps those sessions valid instead of restarting them.
+- Built-in browser sync is all-or-nothing and locked to one vendor. cookiesync
+  is browser-agnostic, and you pick which machines and which sites it touches.
+- Automation needs a logged-in session but should never hold a password. Hand a
+  CI job or an agent the cookies it needs instead of a credential it can leak.
+
+## License
+
+PolyForm Noncommercial 1.0.0 — see [LICENSE](https://github.com/yasyf/cookiesync/blob/main/LICENSE).

cookiesync_cli-0.1.0/README.md

@@ -0,0 +1,88 @@
+# cookiesync
+
+![cookiesync banner](https://github.com/yasyf/cookiesync/raw/main/docs/assets/readme-banner.webp)
+
+[![PyPI](https://img.shields.io/pypi/v/cookiesync-cli.svg)](https://pypi.org/project/cookiesync-cli/)
+[![Python](https://img.shields.io/pypi/pyversions/cookiesync-cli.svg)](https://pypi.org/project/cookiesync-cli/)
+[![License: PolyForm Noncommercial 1.0.0](https://img.shields.io/badge/License-PolyForm--Noncommercial--1.0.0-blue.svg)](https://github.com/yasyf/cookiesync/blob/main/LICENSE)
+
+Sync your browser cookies across machines.
+
+cookiesync copies the cookies your browser already holds on one machine and
+replays them on another, so the sites you're signed into follow you between
+laptops. It reuses your existing browser session instead of asking for
+passwords again, so logins, 2FA, and SSO state carry over without you
+re-authenticating anywhere.
+
+> **macOS only.** cookiesync keeps your browser's Safe Storage key behind a
+> Touch ID prompt and a Secure Enclave–bound daemon, so decrypted cookies never
+> land on disk. The key helper is a Developer-ID-signed, notarized `.app`.
+
+## Install
+
+cookiesync publishes on PyPI as `cookiesync-cli` and installs a `cookiesync`
+command. You'll reach for it often, so install it onto your PATH with
+[uv](https://docs.astral.sh/uv/):
+
+```bash
+uv tool install cookiesync-cli
+cookiesync --help
+```
+
+To add it to a project instead:
+
+```bash
+uv add cookiesync-cli
+```
+
+## Quickstart
+
+```bash
+# Fetch the signed key helper and start the sync daemon (one time)
+cookiesync install
+
+# Confirm the helper is installed and Developer-ID signed
+cookiesync doctor
+
+# Track a browser to sync between this Mac and another host
+cookiesync browser add other-host chrome
+
+# Hand a logged-in session to a script without giving it a password
+cookiesync cookies https://example.com --browser chrome
+```
+
+Once a browser is tracked, the resident daemon watches its cookie store and
+converges it across your hosts. Run `cookiesync reconcile` to force a full pass.
+
+## Commands
+
+| Command | What it does |
+| --- | --- |
+| `install` | Fetch the signed key helper, then install the LaunchAgents (watch daemon + reconcile tick). |
+| `uninstall` | Remove the cookiesync LaunchAgents. |
+| `doctor` | Check that the key helper is installed and Developer-ID signed. |
+| `browser add/ls/rm` | Track, list, and untrack the browser profiles cookiesync syncs across hosts. |
+| `watch` | Run the resident sync daemon: watch local stores and serve the RPC socket. |
+| `sync --browser <name>` | Converge one browser group across this host and its peers. |
+| `reconcile` | Run a full reconcile pass over every tracked browser group. |
+| `auth` | Release the Safe Storage key behind one Touch ID tap and cache it for a short window. |
+| `cookies <url>` | Stream a URL's cookies in the chosen format (Playwright by default). |
+| `self` | Print this host's SSH target, as reposync reports it. |
+| `rpc <method>` | Low-level RPC client for the resident daemon. |
+
+Run `cookiesync --help`, or `cookiesync <command> --help`, for the full reference.
+
+## What problems does this solve?
+
+- A fresh machine means signing into every account again. cookiesync moves your
+  live browser session over, so you land already logged in.
+- 2FA and SSO re-prompt whenever you switch laptops. Carrying the existing
+  cookies over keeps those sessions valid instead of restarting them.
+- Built-in browser sync is all-or-nothing and locked to one vendor. cookiesync
+  is browser-agnostic, and you pick which machines and which sites it touches.
+- Automation needs a logged-in session but should never hold a password. Hand a
+  CI job or an agent the cookies it needs instead of a credential it can leak.
+
+## License
+
+PolyForm Noncommercial 1.0.0 — see [LICENSE](https://github.com/yasyf/cookiesync/blob/main/LICENSE).

cookiesync_cli-0.1.0/cookiesync/__init__.py

@@ -0,0 +1,3 @@
+"""Sync your browser cookies across machines."""
+
+from __future__ import annotations

cookiesync_cli-0.1.0/cookiesync/__main__.py

@@ -0,0 +1,6 @@
+from __future__ import annotations
+
+from cookiesync.cli import main
+
+if __name__ == "__main__":
+    main()

cookiesync_cli-0.1.0/cookiesync/cli.py

@@ -0,0 +1,339 @@
+from __future__ import annotations
+
+import json
+from dataclasses import replace
+from typing import TYPE_CHECKING
+
+import anyio
+import click
+from loguru import logger
+
+from cookiesync import helper, paths, state
+from cookiesync.cookie import OutputFormat, StorageState, render
+from cookiesync.cookie.browsers import REGISTRY
+from cookiesync.daemon import rpc
+from cookiesync.daemon.rpc import RpcError
+from cookiesync.daemon.wire import cookie_from_wire
+from cookiesync.helper import HelperState
+from cookiesync.registry import RegistryError, reposync_registry, reposync_self
+from cookiesync.state import BrowserEndpoint, BrowserId, SshTarget, parse_duration
+
+if TYPE_CHECKING:
+    from cookiesync.daemon.wire import Response
+
+
+@click.group()
+@click.version_option(package_name="cookiesync")
+def main() -> None:
+    """Sync your browser cookies across machines."""
+
+
+async def daemon_call(method: str, params: dict | None = None) -> dict | list | None:
+    """Call ``method`` on the resident daemon, raising a clean :class:`click.ClickException` on failure."""
+    try:
+        response = await rpc.call(method, params or {})
+    except RpcError as exc:
+        raise click.ClickException(f"{exc}; is the daemon running? (cookiesync install)") from exc
+    return response_result(response)
+
+
+def response_result(response: Response) -> dict | list | None:
+    if not response.ok:
+        raise click.ClickException(response.error or "daemon error")
+    return response.result
+
+
+@main.group()
+def browser() -> None:
+    """Track the browser profiles cookiesync syncs across hosts."""
+
+
+@browser.command("add")
+@click.argument("host")
+@click.argument("browser_name")
+@click.option("--profile", default="Default", help="Profile directory name.")
+def browser_add(host: str, browser_name: str, profile: str) -> None:
+    """Track a browser profile on HOST for syncing."""
+    anyio.run(add_endpoint, SshTarget(host), browser_name, profile)
+
+
+@browser.command("ls")
+@click.option("--json", "as_json", is_flag=True, help="Emit the endpoints as JSON.")
+def browser_ls(as_json: bool) -> None:
+    """List the tracked browser endpoints."""
+    anyio.run(list_endpoints, as_json)
+
+
+@browser.command("rm")
+@click.argument("host")
+@click.argument("browser_name")
+@click.option("--profile", default="Default", help="Profile directory name.")
+def browser_rm(host: str, browser_name: str, profile: str) -> None:
+    """Stop tracking a browser profile on HOST."""
+    anyio.run(remove_endpoint, SshTarget(host), browser_name, profile)
+
+
+async def add_endpoint(host: SshTarget, browser_name: str, profile: str) -> None:
+    if browser_name not in REGISTRY:
+        raise click.ClickException(f"unknown browser {browser_name!r}; choose from {', '.join(sorted(REGISTRY))}")
+    try:
+        self_target, hosts = await reposync_registry()
+    except RegistryError as exc:
+        raise click.ClickException(str(exc)) from exc
+    if host != self_target and host not in hosts:
+        raise click.ClickException(f"unknown host {host!r}; choose from {', '.join((self_target, *hosts))}")
+    endpoint = BrowserEndpoint(host, BrowserId(browser_name), profile)
+    await state.update(
+        lambda s: replace(
+            s,
+            self_target=self_target,
+            browsers=(*(e for e in s.browsers if e.id != endpoint.id), endpoint),
+        )
+    )
+    logger.debug("tracked {}", endpoint.id)
+    click.echo(f"Tracking {endpoint.id}")
+
+
+async def list_endpoints(as_json: bool) -> None:
+    browsers = (await state.load()).browsers
+    if as_json:
+        click.echo(json.dumps([endpoint.to_json() for endpoint in browsers], indent=2))
+        return
+    click.echo("\n".join(endpoint.id for endpoint in browsers) if browsers else "No tracked browsers.")
+
+
+async def remove_endpoint(host: SshTarget, browser_name: str, profile: str) -> None:
+    target = BrowserEndpoint(host, BrowserId(browser_name), profile).id
+    await state.update(lambda s: replace(s, browsers=tuple(e for e in s.browsers if e.id != target)))
+    logger.debug("untracked {}", target)
+    click.echo(f"Untracked {target}")
+
+
+@main.command()
+def watch() -> None:
+    """Run the resident sync daemon: watch local stores and serve the RPC socket."""
+    anyio.run(run_watch)
+
+
+async def run_watch() -> None:
+    from cookiesync.daemon import Daemon
+
+    logger.debug("starting cookiesync daemon")
+    await (await Daemon.build()).watch()
+
+
+@main.command()
+@click.option("--tick-only", is_flag=True, help="Install only the periodic reconcile tick, not the watch daemon.")
+def install(tick_only: bool) -> None:
+    """Fetch the signed key helper, then install the cookiesync LaunchAgents (watch daemon and reconcile tick)."""
+    anyio.run(run_install, tick_only)
+
+
+async def run_install(tick_only: bool) -> None:
+    from cookiesync.service import LaunchctlLauncher, install
+
+    await ensure_helper()
+    await install(LaunchctlLauncher(), tick_only=tick_only)
+    click.echo("Installed cookiesync agents." if not tick_only else "Installed the cookiesync reconcile tick.")
+
+
+async def ensure_helper() -> None:
+    match await helper.helper_state():
+        case HelperState.OK:
+            click.echo(f"Key helper present and Developer-ID-signed: {paths.helper_app_path()}")
+        case _:
+            click.echo(
+                "Installing the signed key helper via Homebrew (brew install yasyf/tap/cookiesync-keyhelper)…", err=True
+            )
+            try:
+                app = await helper.install_helper()
+            except helper.HelperInstallError as exc:
+                raise click.ClickException(str(exc)) from exc
+            click.echo(f"Installed and verified key helper: {app}")
+
+
+@main.command()
+def doctor() -> None:
+    """Check that the signed Secure-Enclave key helper is installed and Developer-ID-signed."""
+    anyio.run(run_doctor)
+
+
+async def run_doctor() -> None:
+    match await helper.helper_state():
+        case HelperState.OK if await helper.supports_contract():
+            click.echo(f"key helper OK: {paths.helper_app_path()} (Developer ID signed, key-helper contract supported)")
+        case HelperState.OK:
+            raise click.ClickException(
+                f"key helper at {paths.helper_app_path()} is installed but does not support the required "
+                "key-helper contract (likely a stale cask); reinstall the key helper: cookiesync install"
+            )
+        case HelperState.UNSIGNED:
+            raise click.ClickException(
+                f"key helper at {paths.helper_app_path()} is not Developer-ID-signed; "
+                "reinstall the notarized .app via 'cookiesync install'"
+            )
+        case HelperState.MISSING:
+            raise click.ClickException(
+                f"key helper not installed at {paths.helper_app_path()}; run 'cookiesync install' to fetch it"
+            )
+
+
+@main.command()
+def uninstall() -> None:
+    """Remove the cookiesync LaunchAgents."""
+    anyio.run(run_uninstall)
+
+
+async def run_uninstall() -> None:
+    from cookiesync.service import LaunchctlLauncher, uninstall
+
+    await uninstall(LaunchctlLauncher())
+    click.echo("Uninstalled cookiesync agents.")
+
+
+@main.command()
+def reconcile() -> None:
+    """Ask the daemon to run a full reconcile pass over every tracked browser group."""
+    anyio.run(run_reconcile)
+
+
+async def run_reconcile() -> None:
+    result = await daemon_call("reconcile")
+    click.echo(json.dumps(result, indent=2))
+
+
+@main.command("sync")
+@click.option("--browser", "browser_name", required=True, help="The browser group to converge.")
+def sync_cmd(browser_name: str) -> None:
+    """Ask the daemon to converge one browser group across this host and its peers."""
+    anyio.run(run_sync, browser_name)
+
+
+async def run_sync(browser_name: str) -> None:
+    result = await daemon_call("sync", {"browser": browser_name})
+    click.echo(json.dumps(result, indent=2))
+
+
+@main.command()
+@click.option("--browser", "browser_name", default="chrome", show_default=True, help="The browser to authenticate.")
+@click.option("--profile", default="Default", show_default=True, help="The profile to authenticate.")
+@click.option("--ttl", default=None, help="Override the cache TTL (Go-style duration, e.g. 15m).")
+def auth(browser_name: str, profile: str, ttl: str | None) -> None:
+    """Release the Safe Storage key behind one Touch ID tap and cache it for a short window."""
+    anyio.run(run_auth, browser_name, profile, ttl)
+
+
+async def run_auth(browser_name: str, profile: str, ttl: str | None) -> None:
+    if ttl is not None:
+        await state.update(lambda s: replace(s, settings=replace(s.settings, auth_ttl=parse_duration(ttl))))
+    result = await daemon_call("prime_auth", {"browser": browser_name, "profile": profile})
+    click.echo(f"Authenticated {result['endpoint']}.")
+
+
+@main.command()
+@click.argument("url")
+@click.option(
+    "--browser", "browser_name", default="chrome", show_default=True, help="The browser to read cookies from."
+)
+@click.option("--profile", default="Default", show_default=True, help="The profile to read cookies from.")
+@click.option(
+    "--format",
+    "fmt",
+    type=click.Choice([f.value for f in OutputFormat]),
+    default=OutputFormat.PLAYWRIGHT.value,
+    show_default=True,
+    help="The output wire format.",
+)
+def cookies(url: str, browser_name: str, profile: str, fmt: str) -> None:
+    """Stream URL's cookies in the chosen format, decrypting with the daemon's cached key."""
+    anyio.run(run_cookies, url, browser_name, profile, fmt)
+
+
+async def run_cookies(url: str, browser_name: str, profile: str, fmt: str) -> None:
+    result = await daemon_call("get_cookies", {"url": url, "browser": browser_name, "profile": profile})
+    state_obj = StorageState(tuple(cookie_from_wire(c) for c in result["cookies"]))
+    for line in render(state_obj, OutputFormat(fmt)):
+        click.echo(line)
+
+
+@main.group()
+def rpc_group() -> None:
+    """Low-level RPC client: drive the resident daemon over its unix socket."""
+
+
+main.add_command(rpc_group, name="rpc")
+
+
+@rpc_group.command("extract")
+@click.option("--browser", "browser_name", required=True)
+@click.option("--profile", default="Default")
+@click.option("--origin", default=None)
+def rpc_extract(browser_name: str, profile: str, origin: str | None) -> None:
+    """Return this host's decrypted cookies for a browser as wire records (used by peers over ssh)."""
+    anyio.run(run_rpc_passthrough, "extract", {"browser": browser_name, "profile": profile, "origin": origin})
+
+
+@rpc_group.command("apply")
+@click.option("--browser", "browser_name", required=True)
+@click.option("--profile", default="Default")
+@click.option("--origin", default=None)
+def rpc_apply(browser_name: str, profile: str, origin: str | None) -> None:
+    """Ingest a merged wire cookie array from stdin into this host's store (used by peers over ssh)."""
+    cookies_in = json.loads(click.get_text_stream("stdin").read())
+    anyio.run(
+        run_rpc_passthrough,
+        "apply",
+        {"browser": browser_name, "profile": profile, "origin": origin, "cookies": cookies_in},
+    )
+
+
+@rpc_group.command("sync")
+@click.option("--browser", "browser_name", required=True)
+@click.option("--origin", default=None)
+def rpc_sync(browser_name: str, origin: str | None) -> None:
+    """Ask the daemon to converge one browser group, tagged with the notifying peer's origin."""
+    anyio.run(run_rpc_passthrough, "sync", {"browser": browser_name, "origin": origin})
+
+
+@rpc_group.command("reconcile")
+def rpc_reconcile() -> None:
+    """Ask the daemon to run a full reconcile pass."""
+    anyio.run(run_rpc_passthrough, "reconcile", {})
+
+
+@rpc_group.command("whoami")
+def rpc_whoami() -> None:
+    """Report this host's console session state."""
+    anyio.run(run_rpc_passthrough, "whoami", {})
+
+
+@rpc_group.command("request_consent")
+@click.option("--browser", "browser_name", required=True)
+@click.option("--profile", default="Default")
+@click.option("--nonce", required=True)
+@click.option("--endpoint", required=True)
+def rpc_request_consent(browser_name: str, profile: str, nonce: str, endpoint: str) -> None:
+    """Show the Touch ID prompt for BROWSER here and echo the requester's nonce + endpoint."""
+    anyio.run(
+        run_rpc_passthrough,
+        "request_consent",
+        {"browser": browser_name, "profile": profile, "nonce": nonce, "endpoint": endpoint},
+    )
+
+
+async def run_rpc_passthrough(method: str, params: dict) -> None:
+    click.echo(json.dumps(await daemon_call(method, params)))
+
+
+@main.command(name="self")
+def self_cmd() -> None:
+    """Print this host's own SSH target, as reposync reports it."""
+    anyio.run(run_self)
+
+
+async def run_self() -> None:
+    try:
+        target = await reposync_self()
+    except RegistryError as exc:
+        raise click.ClickException(str(exc)) from exc
+    click.echo(target)