cookiesync-cli 0.1.1__tar.gz → 0.1.3__tar.gz

{cookiesync_cli-0.1.1 → cookiesync_cli-0.1.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cookiesync-cli
-Version: 0.1.1
+Version: 0.1.3
 Summary: Sync your browser cookies across machines.
 Keywords: 
 Author: Yasyf Mohamedali
@@ -38,53 +38,46 @@ Description-Content-Type: text/markdown
 [![Python](https://img.shields.io/pypi/pyversions/cookiesync-cli.svg)](https://pypi.org/project/cookiesync-cli/)
 [![License: PolyForm Noncommercial 1.0.0](https://img.shields.io/badge/License-PolyForm--Noncommercial--1.0.0-blue.svg)](https://github.com/yasyf/cookiesync/blob/main/LICENSE)
 
-Sync your browser cookies across machines.
+Sync your browser cookies across machines — land on a new laptop already logged in.
 
-cookiesync copies the cookies your browser already holds on one machine and
-replays them on another, so the sites you're signed into follow you between
-laptops. It reuses your existing browser session instead of asking for
-passwords again, so logins, 2FA, and SSO state carry over without you
-re-authenticating anywhere.
+cookiesync copies the cookies your browser already holds on one machine and replays
+them on another, reusing your live session instead of asking for passwords again — so
+logins, 2FA, and SSO state carry over without re-authenticating. It's browser-agnostic,
+and you pick which machines and which sites it touches. Automation can borrow a
+logged-in session too: hand a CI job or an agent the cookies it needs, never a password.
 
-> **macOS only.** cookiesync keeps your browser's Safe Storage key behind a
-> Touch ID prompt and a Secure Enclave–bound daemon, so decrypted cookies never
-> land on disk. The key helper is a Developer-ID-signed, notarized `.app`.
+> **macOS only.** cookiesync keeps your browser's Safe Storage key behind a Touch ID
+> prompt and a Secure Enclave–bound daemon, so decrypted cookies never land on disk.
+> The key helper is a Developer-ID-signed, notarized `.app`.
 
 ## Install
 
-cookiesync publishes on PyPI as `cookiesync-cli` and installs a `cookiesync`
-command. You'll reach for it often, so install it onto your PATH with
-[uv](https://docs.astral.sh/uv/):
+Install the `cookiesync` command with [uv](https://docs.astral.sh/uv/):
 
 ```bash
 uv tool install cookiesync-cli
 cookiesync --help
 ```
 
-To add it to a project instead:
-
-```bash
-uv add cookiesync-cli
-```
-
 ## Quickstart
 
 ```bash
-# Fetch the signed key helper and start the sync daemon (one time)
-cookiesync install
-
-# Confirm the helper is installed and Developer-ID signed
-cookiesync doctor
+# Fetch the signed key helper and install the LaunchAgents (one time)
+$ cookiesync install
+Installing the signed key helper via Homebrew (brew install yasyf/tap/cookiesync-keyhelper)…
+Installed and verified key helper: /Applications/cookiesync-keyhelper.app
+Installed cookiesync agents.
 
 # Track a browser to sync between this Mac and another host
-cookiesync browser add other-host chrome
+$ cookiesync browser add other-host chrome
+Tracking other-host/chrome/Default
 
-# Hand a logged-in session to a script without giving it a password
-cookiesync cookies https://example.com --browser chrome
+# Hand a logged-in session to a script — no password
+$ cookiesync cookies https://example.com --browser chrome
 ```
 
-Once a browser is tracked, the resident daemon watches its cookie store and
-converges it across your hosts. Run `cookiesync reconcile` to force a full pass.
+Once a browser is tracked, the resident daemon watches its cookie store and converges
+it across your hosts. Run `cookiesync reconcile` to force a full pass.
 
 ## Commands
 
@@ -104,16 +97,14 @@ converges it across your hosts. Run `cookiesync reconcile` to force a full pass.
 
 Run `cookiesync --help`, or `cookiesync <command> --help`, for the full reference.
 
-## What problems does this solve?
+## How it works
 
-- A fresh machine means signing into every account again. cookiesync moves your
-  live browser session over, so you land already logged in.
-- 2FA and SSO re-prompt whenever you switch laptops. Carrying the existing
-  cookies over keeps those sessions valid instead of restarting them.
-- Built-in browser sync is all-or-nothing and locked to one vendor. cookiesync
-  is browser-agnostic, and you pick which machines and which sites it touches.
-- Automation needs a logged-in session but should never hold a password. Hand a
-  CI job or an agent the cookies it needs instead of a credential it can leak.
+`cookiesync install` fetches the notarized key helper and starts a resident daemon. The
+daemon watches each tracked browser's cookie store, and on a change it converges that
+group across your hosts over SSH — extracting and re-applying cookies through the same
+RPC the peers speak. Decryption needs the browser's Safe Storage key, which the helper
+releases only behind a Touch ID tap (`cookiesync auth`) and caches in the
+Secure-Enclave-bound daemon for a short window, never on disk.
 
 ## License
 

{cookiesync_cli-0.1.1 → cookiesync_cli-0.1.3}/README.md

@@ -6,53 +6,46 @@
 [![Python](https://img.shields.io/pypi/pyversions/cookiesync-cli.svg)](https://pypi.org/project/cookiesync-cli/)
 [![License: PolyForm Noncommercial 1.0.0](https://img.shields.io/badge/License-PolyForm--Noncommercial--1.0.0-blue.svg)](https://github.com/yasyf/cookiesync/blob/main/LICENSE)
 
-Sync your browser cookies across machines.
+Sync your browser cookies across machines — land on a new laptop already logged in.
 
-cookiesync copies the cookies your browser already holds on one machine and
-replays them on another, so the sites you're signed into follow you between
-laptops. It reuses your existing browser session instead of asking for
-passwords again, so logins, 2FA, and SSO state carry over without you
-re-authenticating anywhere.
+cookiesync copies the cookies your browser already holds on one machine and replays
+them on another, reusing your live session instead of asking for passwords again — so
+logins, 2FA, and SSO state carry over without re-authenticating. It's browser-agnostic,
+and you pick which machines and which sites it touches. Automation can borrow a
+logged-in session too: hand a CI job or an agent the cookies it needs, never a password.
 
-> **macOS only.** cookiesync keeps your browser's Safe Storage key behind a
-> Touch ID prompt and a Secure Enclave–bound daemon, so decrypted cookies never
-> land on disk. The key helper is a Developer-ID-signed, notarized `.app`.
+> **macOS only.** cookiesync keeps your browser's Safe Storage key behind a Touch ID
+> prompt and a Secure Enclave–bound daemon, so decrypted cookies never land on disk.
+> The key helper is a Developer-ID-signed, notarized `.app`.
 
 ## Install
 
-cookiesync publishes on PyPI as `cookiesync-cli` and installs a `cookiesync`
-command. You'll reach for it often, so install it onto your PATH with
-[uv](https://docs.astral.sh/uv/):
+Install the `cookiesync` command with [uv](https://docs.astral.sh/uv/):
 
 ```bash
 uv tool install cookiesync-cli
 cookiesync --help
 ```
 
-To add it to a project instead:
-
-```bash
-uv add cookiesync-cli
-```
-
 ## Quickstart
 
 ```bash
-# Fetch the signed key helper and start the sync daemon (one time)
-cookiesync install
-
-# Confirm the helper is installed and Developer-ID signed
-cookiesync doctor
+# Fetch the signed key helper and install the LaunchAgents (one time)
+$ cookiesync install
+Installing the signed key helper via Homebrew (brew install yasyf/tap/cookiesync-keyhelper)…
+Installed and verified key helper: /Applications/cookiesync-keyhelper.app
+Installed cookiesync agents.
 
 # Track a browser to sync between this Mac and another host
-cookiesync browser add other-host chrome
+$ cookiesync browser add other-host chrome
+Tracking other-host/chrome/Default
 
-# Hand a logged-in session to a script without giving it a password
-cookiesync cookies https://example.com --browser chrome
+# Hand a logged-in session to a script — no password
+$ cookiesync cookies https://example.com --browser chrome
 ```
 
-Once a browser is tracked, the resident daemon watches its cookie store and
-converges it across your hosts. Run `cookiesync reconcile` to force a full pass.
+Once a browser is tracked, the resident daemon watches its cookie store and converges
+it across your hosts. Run `cookiesync reconcile` to force a full pass.
 
 ## Commands
 
@@ -72,16 +65,14 @@ converges it across your hosts. Run `cookiesync reconcile` to force a full pass.
 
 Run `cookiesync --help`, or `cookiesync <command> --help`, for the full reference.
 
-## What problems does this solve?
+## How it works
 
-- A fresh machine means signing into every account again. cookiesync moves your
-  live browser session over, so you land already logged in.
-- 2FA and SSO re-prompt whenever you switch laptops. Carrying the existing
-  cookies over keeps those sessions valid instead of restarting them.
-- Built-in browser sync is all-or-nothing and locked to one vendor. cookiesync
-  is browser-agnostic, and you pick which machines and which sites it touches.
-- Automation needs a logged-in session but should never hold a password. Hand a
-  CI job or an agent the cookies it needs instead of a credential it can leak.
+`cookiesync install` fetches the notarized key helper and starts a resident daemon. The
+daemon watches each tracked browser's cookie store, and on a change it converges that
+group across your hosts over SSH — extracting and re-applying cookies through the same
+RPC the peers speak. Decryption needs the browser's Safe Storage key, which the helper
+releases only behind a Touch ID tap (`cookiesync auth`) and caches in the
+Secure-Enclave-bound daemon for a short window, never on disk.
 
 ## License
 

{cookiesync_cli-0.1.1 → cookiesync_cli-0.1.3}/cookiesync/cli.py

@@ -119,6 +119,9 @@ async def run_watch() -> None:
     from cookiesync.daemon import Daemon
 
     logger.debug("starting cookiesync daemon")
+    # The daemon needs the signed helper for the SE key vault and cache; install it
+    # if absent so the helper is fully CLI-managed (the user never runs brew by hand).
+    await ensure_helper()
     await (await Daemon.build()).watch()
 
 
@@ -217,16 +220,18 @@ async def run_sync(browser_name: str) -> None:
 @main.command()
 @click.option("--browser", "browser_name", default="chrome", show_default=True, help="The browser to authenticate.")
 @click.option("--profile", default="Default", show_default=True, help="The profile to authenticate.")
+@click.option("--reason", default=None, help="What the Touch ID prompt should say you're unlocking the cookies to do.")
 @click.option("--ttl", default=None, help="Override the cache TTL (Go-style duration, e.g. 15m).")
-def auth(browser_name: str, profile: str, ttl: str | None) -> None:
+def auth(browser_name: str, profile: str, reason: str | None, ttl: str | None) -> None:
     """Release the Safe Storage key behind one Touch ID tap and cache it for a short window."""
-    anyio.run(run_auth, browser_name, profile, ttl)
+    anyio.run(run_auth, browser_name, profile, reason, ttl)
 
 
-async def run_auth(browser_name: str, profile: str, ttl: str | None) -> None:
+async def run_auth(browser_name: str, profile: str, reason: str | None, ttl: str | None) -> None:
     if ttl is not None:
         await state.update(lambda s: replace(s, settings=replace(s.settings, auth_ttl=parse_duration(ttl))))
-    result = await daemon_call("prime_auth", {"browser": browser_name, "profile": profile})
+    params = {"browser": browser_name, "profile": profile} | ({"reason": reason} if reason else {})
+    result = await daemon_call("prime_auth", params)
     click.echo(f"Authenticated {result['endpoint']}.")
 
 

{cookiesync_cli-0.1.1 → cookiesync_cli-0.1.3}/cookiesync/cookie/consent.py

@@ -46,12 +46,12 @@ class ConsentError(Exception):
 
 
 def compose_reason(host: str, reason: str) -> str:
-    """Touch ID prompt text: domain first, the caller's reason as a 'to …' clause.
+    """Touch ID prompt text: concise and specific — what is unlocked, then a short why.
 
     ``reason`` is collapsed to a single line and capped, since it surfaces verbatim in
-    a security dialog.
+    the Touch ID dialog.
     """
-    return f"access your {host} session to {' '.join(reason.split())[:REASON_CAP]}"
+    return f"unlock your {host} cookies to {' '.join(reason.split())[:REASON_CAP]}"
 
 
 class Consent(Protocol):

{cookiesync_cli-0.1.1 → cookiesync_cli-0.1.3}/cookiesync/daemon/engine.py

@@ -32,6 +32,7 @@ from dataclasses import dataclass, field
 from typing import TYPE_CHECKING, NewType, Protocol
 
 import anyio
+from loguru import logger
 
 from cookiesync.cookie import REGISTRY
 from cookiesync.cookie.browsers import BrowserName
@@ -101,10 +102,19 @@ async def cookies_mtime(endpoint: BrowserEndpoint) -> float:
 
 
 async def watch_endpoint(endpoint: BrowserEndpoint) -> AsyncIterator[object]:
-    """Yield once per ``watchfiles`` change batch on an endpoint's profile directory."""
+    """Yield once per ``watchfiles`` change batch on an endpoint's profile directory.
+
+    A local endpoint whose profile directory does not exist yet — e.g. a registered sync
+    target this host has not created — has nothing to watch. Log and return rather than let
+    ``watchfiles`` raise ``FileNotFoundError`` and tear the whole daemon down.
+    """
     from watchfiles import awatch
 
-    async for changes in awatch(watch_dir(endpoint)):
+    directory = watch_dir(endpoint)
+    if not await anyio.Path(str(directory)).exists():
+        logger.warning("not watching {}: profile dir {} does not exist", endpoint.id, directory)
+        return
+    async for changes in awatch(directory):
         yield changes
 
 

{cookiesync_cli-0.1.1 → cookiesync_cli-0.1.3}/cookiesync/daemon/server.py

@@ -65,7 +65,7 @@ if TYPE_CHECKING:
 PEER_METHODS = ("sync", "reconcile", "extract", "apply", "whoami")
 LOCAL_METHODS = ("prime_auth", "get_cookies", "auth_status", "request_consent")
 
-CONSENT_REASON = "sync your cookies across your machines"
+CONSENT_REASON = "sync them across your Macs"
 DEFAULT_PROFILE = "Default"
 
 
@@ -274,10 +274,12 @@ class Daemon:
         state = await self.load_state()
         browser = BrowserId(params["browser"])
         profile = params.get("profile", DEFAULT_PROFILE)
-        await self.prime_auth(browser, profile, state)
+        await self.prime_auth(browser, profile, state, reason=params.get("reason") or CONSENT_REASON)
         return {"primed": True, "endpoint": endpoint_id(state.self_target, browser, profile)}
 
-    async def prime_auth(self, browser: BrowserId, profile: str, state: State) -> AesKey:
+    async def prime_auth(
+        self, browser: BrowserId, profile: str, state: State, *, reason: str = CONSENT_REASON
+    ) -> AesKey:
         """Obtain the Safe Storage key and cache it under the endpoint's TTL.
 
         A live local session releases the key behind one Touch-ID tap here. Otherwise the user
@@ -288,7 +290,7 @@ class Daemon:
         :class:`AuthRequired` when no peer can approve or the reply fails to bind.
         """
         if await has_active_session(probe=self.probe):
-            key = await self.consent.obtain_key(browser_for(browser), reason=CONSENT_REASON)
+            key = await self.consent.obtain_key(browser_for(browser), reason=reason)
         else:
             key = await self.routed_release(browser, profile, state)
         await self.cache.put(
@@ -368,7 +370,7 @@ class Daemon:
         if not await has_active_session(probe=self.probe):
             return {"status": "unavailable"}
         try:
-            await self.consent.obtain_key(browser_for(browser), reason=f"release {endpoint}")
+            await self.consent.obtain_key(browser_for(browser), reason=f"sync them to {endpoint}")
         except ConsentError:
             return {"status": "denied"}
         return {"status": "approved", "nonce": nonce, "endpoint": endpoint}

{cookiesync_cli-0.1.1 → cookiesync_cli-0.1.3}/cookiesync/helper.py

@@ -50,7 +50,9 @@ async def developer_id_signed(app_path: Path) -> bool:
     returns ``False``.
     """
     result = await anyio.run_process(
-        [CODESIGN, "--verify", "--strict", "-R", DEVELOPER_ID_REQUIREMENT, str(app_path)],
+        # -R takes the requirement inline via `-R=<req>`; as a separate argv (`-R`, `<req>`)
+        # codesign reads it as a requirement *file* path and fails "invalid requirement".
+        [CODESIGN, "--verify", "--strict", f"-R={DEVELOPER_ID_REQUIREMENT}", str(app_path)],
         check=False,
     )
     return result.returncode == 0
@@ -76,7 +78,11 @@ async def supports_contract() -> bool:
         [str(paths.helper_binary()), "vault-status", PROBE_VAULT],
         check=False,
     )
-    return result.returncode == 0 and CONTRACT_LINE.search(result.stdout) is not None
+    # vault-status prints the contract line then exits 2 ("unavailable") for a vault that
+    # doesn't exist — our probe vault never does — so the contract line on stdout, not the
+    # exit code, is the capability signal. A helper lacking the subcommand prints usage to
+    # stderr and emits no such line.
+    return CONTRACT_LINE.search(result.stdout) is not None
 
 
 async def install_helper() -> Path:

{cookiesync_cli-0.1.1 → cookiesync_cli-0.1.3}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "cookiesync-cli"
-version = "0.1.1"
+version = "0.1.3"
 description = "Sync your browser cookies across machines."
 readme = "README.md"
 license = "PolyForm-Noncommercial-1.0.0"