cookiesync-cli 0.1.2__tar.gz → 0.1.4__tar.gz

{cookiesync_cli-0.1.2 → cookiesync_cli-0.1.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cookiesync-cli
-Version: 0.1.2
+Version: 0.1.4
 Summary: Sync your browser cookies across machines.
 Keywords: 
 Author: Yasyf Mohamedali
@@ -38,53 +38,46 @@ Description-Content-Type: text/markdown
 [![Python](https://img.shields.io/pypi/pyversions/cookiesync-cli.svg)](https://pypi.org/project/cookiesync-cli/)
 [![License: PolyForm Noncommercial 1.0.0](https://img.shields.io/badge/License-PolyForm--Noncommercial--1.0.0-blue.svg)](https://github.com/yasyf/cookiesync/blob/main/LICENSE)
 
-Sync your browser cookies across machines.
+Sync your browser cookies across machines — land on a new laptop already logged in.
 
-cookiesync copies the cookies your browser already holds on one machine and
-replays them on another, so the sites you're signed into follow you between
-laptops. It reuses your existing browser session instead of asking for
-passwords again, so logins, 2FA, and SSO state carry over without you
-re-authenticating anywhere.
+cookiesync copies the cookies your browser already holds on one machine and replays
+them on another, reusing your live session instead of asking for passwords again — so
+logins, 2FA, and SSO state carry over without re-authenticating. It's browser-agnostic,
+and you pick which machines and which sites it touches. Automation can borrow a
+logged-in session too: hand a CI job or an agent the cookies it needs, never a password.
 
-> **macOS only.** cookiesync keeps your browser's Safe Storage key behind a
-> Touch ID prompt and a Secure Enclave–bound daemon, so decrypted cookies never
-> land on disk. The key helper is a Developer-ID-signed, notarized `.app`.
+> **macOS only.** cookiesync keeps your browser's Safe Storage key behind a Touch ID
+> prompt and a Secure Enclave–bound daemon, so decrypted cookies never land on disk.
+> The key helper is a Developer-ID-signed, notarized `.app`.
 
 ## Install
 
-cookiesync publishes on PyPI as `cookiesync-cli` and installs a `cookiesync`
-command. You'll reach for it often, so install it onto your PATH with
-[uv](https://docs.astral.sh/uv/):
+Install the `cookiesync` command with [uv](https://docs.astral.sh/uv/):
 
 ```bash
 uv tool install cookiesync-cli
 cookiesync --help
 ```
 
-To add it to a project instead:
-
-```bash
-uv add cookiesync-cli
-```
-
 ## Quickstart
 
 ```bash
-# Fetch the signed key helper and start the sync daemon (one time)
-cookiesync install
-
-# Confirm the helper is installed and Developer-ID signed
-cookiesync doctor
+# Fetch the signed key helper and install the LaunchAgents (one time)
+$ cookiesync install
+Installing the signed key helper via Homebrew (brew install yasyf/tap/cookiesync-keyhelper)…
+Installed and verified key helper: /Applications/cookiesync-keyhelper.app
+Installed cookiesync agents.
 
 # Track a browser to sync between this Mac and another host
-cookiesync browser add other-host chrome
+$ cookiesync browser add other-host chrome
+Tracking other-host/chrome/Default
 
-# Hand a logged-in session to a script without giving it a password
-cookiesync cookies https://example.com --browser chrome
+# Hand a logged-in session to a script — no password
+$ cookiesync cookies https://example.com --browser chrome
 ```
 
-Once a browser is tracked, the resident daemon watches its cookie store and
-converges it across your hosts. Run `cookiesync reconcile` to force a full pass.
+Once a browser is tracked, the resident daemon watches its cookie store and converges
+it across your hosts. Run `cookiesync reconcile` to force a full pass.
 
 ## Commands
 
@@ -104,16 +97,14 @@ converges it across your hosts. Run `cookiesync reconcile` to force a full pass.
 
 Run `cookiesync --help`, or `cookiesync <command> --help`, for the full reference.
 
-## What problems does this solve?
+## How it works
 
-- A fresh machine means signing into every account again. cookiesync moves your
-  live browser session over, so you land already logged in.
-- 2FA and SSO re-prompt whenever you switch laptops. Carrying the existing
-  cookies over keeps those sessions valid instead of restarting them.
-- Built-in browser sync is all-or-nothing and locked to one vendor. cookiesync
-  is browser-agnostic, and you pick which machines and which sites it touches.
-- Automation needs a logged-in session but should never hold a password. Hand a
-  CI job or an agent the cookies it needs instead of a credential it can leak.
+`cookiesync install` fetches the notarized key helper and starts a resident daemon. The
+daemon watches each tracked browser's cookie store, and on a change it converges that
+group across your hosts over SSH — extracting and re-applying cookies through the same
+RPC the peers speak. Decryption needs the browser's Safe Storage key, which the helper
+releases only behind a Touch ID tap (`cookiesync auth`) and caches in the
+Secure-Enclave-bound daemon for a short window, never on disk.
 
 ## License
 

{cookiesync_cli-0.1.2 → cookiesync_cli-0.1.4}/README.md

@@ -6,53 +6,46 @@
 [![Python](https://img.shields.io/pypi/pyversions/cookiesync-cli.svg)](https://pypi.org/project/cookiesync-cli/)
 [![License: PolyForm Noncommercial 1.0.0](https://img.shields.io/badge/License-PolyForm--Noncommercial--1.0.0-blue.svg)](https://github.com/yasyf/cookiesync/blob/main/LICENSE)
 
-Sync your browser cookies across machines.
+Sync your browser cookies across machines — land on a new laptop already logged in.
 
-cookiesync copies the cookies your browser already holds on one machine and
-replays them on another, so the sites you're signed into follow you between
-laptops. It reuses your existing browser session instead of asking for
-passwords again, so logins, 2FA, and SSO state carry over without you
-re-authenticating anywhere.
+cookiesync copies the cookies your browser already holds on one machine and replays
+them on another, reusing your live session instead of asking for passwords again — so
+logins, 2FA, and SSO state carry over without re-authenticating. It's browser-agnostic,
+and you pick which machines and which sites it touches. Automation can borrow a
+logged-in session too: hand a CI job or an agent the cookies it needs, never a password.
 
-> **macOS only.** cookiesync keeps your browser's Safe Storage key behind a
-> Touch ID prompt and a Secure Enclave–bound daemon, so decrypted cookies never
-> land on disk. The key helper is a Developer-ID-signed, notarized `.app`.
+> **macOS only.** cookiesync keeps your browser's Safe Storage key behind a Touch ID
+> prompt and a Secure Enclave–bound daemon, so decrypted cookies never land on disk.
+> The key helper is a Developer-ID-signed, notarized `.app`.
 
 ## Install
 
-cookiesync publishes on PyPI as `cookiesync-cli` and installs a `cookiesync`
-command. You'll reach for it often, so install it onto your PATH with
-[uv](https://docs.astral.sh/uv/):
+Install the `cookiesync` command with [uv](https://docs.astral.sh/uv/):
 
 ```bash
 uv tool install cookiesync-cli
 cookiesync --help
 ```
 
-To add it to a project instead:
-
-```bash
-uv add cookiesync-cli
-```
-
 ## Quickstart
 
 ```bash
-# Fetch the signed key helper and start the sync daemon (one time)
-cookiesync install
-
-# Confirm the helper is installed and Developer-ID signed
-cookiesync doctor
+# Fetch the signed key helper and install the LaunchAgents (one time)
+$ cookiesync install
+Installing the signed key helper via Homebrew (brew install yasyf/tap/cookiesync-keyhelper)…
+Installed and verified key helper: /Applications/cookiesync-keyhelper.app
+Installed cookiesync agents.
 
 # Track a browser to sync between this Mac and another host
-cookiesync browser add other-host chrome
+$ cookiesync browser add other-host chrome
+Tracking other-host/chrome/Default
 
-# Hand a logged-in session to a script without giving it a password
-cookiesync cookies https://example.com --browser chrome
+# Hand a logged-in session to a script — no password
+$ cookiesync cookies https://example.com --browser chrome
 ```
 
-Once a browser is tracked, the resident daemon watches its cookie store and
-converges it across your hosts. Run `cookiesync reconcile` to force a full pass.
+Once a browser is tracked, the resident daemon watches its cookie store and converges
+it across your hosts. Run `cookiesync reconcile` to force a full pass.
 
 ## Commands
 
@@ -72,16 +65,14 @@ converges it across your hosts. Run `cookiesync reconcile` to force a full pass.
 
 Run `cookiesync --help`, or `cookiesync <command> --help`, for the full reference.
 
-## What problems does this solve?
+## How it works
 
-- A fresh machine means signing into every account again. cookiesync moves your
-  live browser session over, so you land already logged in.
-- 2FA and SSO re-prompt whenever you switch laptops. Carrying the existing
-  cookies over keeps those sessions valid instead of restarting them.
-- Built-in browser sync is all-or-nothing and locked to one vendor. cookiesync
-  is browser-agnostic, and you pick which machines and which sites it touches.
-- Automation needs a logged-in session but should never hold a password. Hand a
-  CI job or an agent the cookies it needs instead of a credential it can leak.
+`cookiesync install` fetches the notarized key helper and starts a resident daemon. The
+daemon watches each tracked browser's cookie store, and on a change it converges that
+group across your hosts over SSH — extracting and re-applying cookies through the same
+RPC the peers speak. Decryption needs the browser's Safe Storage key, which the helper
+releases only behind a Touch ID tap (`cookiesync auth`) and caches in the
+Secure-Enclave-bound daemon for a short window, never on disk.
 
 ## License
 

{cookiesync_cli-0.1.2 → cookiesync_cli-0.1.4}/cookiesync/cli.py

@@ -119,6 +119,9 @@ async def run_watch() -> None:
     from cookiesync.daemon import Daemon
 
     logger.debug("starting cookiesync daemon")
+    # The daemon needs the signed helper for the SE key vault and cache; install it
+    # if absent so the helper is fully CLI-managed (the user never runs brew by hand).
+    await ensure_helper()
     await (await Daemon.build()).watch()
 
 
@@ -217,16 +220,18 @@ async def run_sync(browser_name: str) -> None:
 @main.command()
 @click.option("--browser", "browser_name", default="chrome", show_default=True, help="The browser to authenticate.")
 @click.option("--profile", default="Default", show_default=True, help="The profile to authenticate.")
+@click.option("--reason", default=None, help="What the Touch ID prompt should say you're unlocking the cookies to do.")
 @click.option("--ttl", default=None, help="Override the cache TTL (Go-style duration, e.g. 15m).")
-def auth(browser_name: str, profile: str, ttl: str | None) -> None:
+def auth(browser_name: str, profile: str, reason: str | None, ttl: str | None) -> None:
     """Release the Safe Storage key behind one Touch ID tap and cache it for a short window."""
-    anyio.run(run_auth, browser_name, profile, ttl)
+    anyio.run(run_auth, browser_name, profile, reason, ttl)
 
 
-async def run_auth(browser_name: str, profile: str, ttl: str | None) -> None:
+async def run_auth(browser_name: str, profile: str, reason: str | None, ttl: str | None) -> None:
     if ttl is not None:
         await state.update(lambda s: replace(s, settings=replace(s.settings, auth_ttl=parse_duration(ttl))))
-    result = await daemon_call("prime_auth", {"browser": browser_name, "profile": profile})
+    params = {"browser": browser_name, "profile": profile} | ({"reason": reason} if reason else {})
+    result = await daemon_call("prime_auth", params)
     click.echo(f"Authenticated {result['endpoint']}.")
 
 

{cookiesync_cli-0.1.2 → cookiesync_cli-0.1.4}/cookiesync/cookie/consent.py

@@ -46,12 +46,12 @@ class ConsentError(Exception):
 
 
 def compose_reason(host: str, reason: str) -> str:
-    """Touch ID prompt text: domain first, the caller's reason as a 'to …' clause.
+    """Touch ID prompt text: concise and specific — what is unlocked, then a short why.
 
     ``reason`` is collapsed to a single line and capped, since it surfaces verbatim in
-    a security dialog.
+    the Touch ID dialog.
     """
-    return f"access your {host} session to {' '.join(reason.split())[:REASON_CAP]}"
+    return f"unlock your {host} cookies to {' '.join(reason.split())[:REASON_CAP]}"
 
 
 class Consent(Protocol):

{cookiesync_cli-0.1.2 → cookiesync_cli-0.1.4}/cookiesync/daemon/server.py

@@ -65,7 +65,7 @@ if TYPE_CHECKING:
 PEER_METHODS = ("sync", "reconcile", "extract", "apply", "whoami")
 LOCAL_METHODS = ("prime_auth", "get_cookies", "auth_status", "request_consent")
 
-CONSENT_REASON = "sync your cookies across your machines"
+CONSENT_REASON = "sync them across your Macs"
 DEFAULT_PROFILE = "Default"
 
 
@@ -274,10 +274,12 @@ class Daemon:
         state = await self.load_state()
         browser = BrowserId(params["browser"])
         profile = params.get("profile", DEFAULT_PROFILE)
-        await self.prime_auth(browser, profile, state)
+        await self.prime_auth(browser, profile, state, reason=params.get("reason") or CONSENT_REASON)
         return {"primed": True, "endpoint": endpoint_id(state.self_target, browser, profile)}
 
-    async def prime_auth(self, browser: BrowserId, profile: str, state: State) -> AesKey:
+    async def prime_auth(
+        self, browser: BrowserId, profile: str, state: State, *, reason: str = CONSENT_REASON
+    ) -> AesKey:
         """Obtain the Safe Storage key and cache it under the endpoint's TTL.
 
         A live local session releases the key behind one Touch-ID tap here. Otherwise the user
@@ -288,7 +290,7 @@ class Daemon:
         :class:`AuthRequired` when no peer can approve or the reply fails to bind.
         """
         if await has_active_session(probe=self.probe):
-            key = await self.consent.obtain_key(browser_for(browser), reason=CONSENT_REASON)
+            key = await self.consent.obtain_key(browser_for(browser), reason=reason)
         else:
             key = await self.routed_release(browser, profile, state)
         await self.cache.put(
@@ -368,7 +370,7 @@ class Daemon:
         if not await has_active_session(probe=self.probe):
             return {"status": "unavailable"}
         try:
-            await self.consent.obtain_key(browser_for(browser), reason=f"release {endpoint}")
+            await self.consent.obtain_key(browser_for(browser), reason=f"sync them to {endpoint}")
         except ConsentError:
             return {"status": "denied"}
         return {"status": "approved", "nonce": nonce, "endpoint": endpoint}

{cookiesync_cli-0.1.2 → cookiesync_cli-0.1.4}/cookiesync/service.py

@@ -41,8 +41,11 @@ SESSION_TYPE = "Aqua"
 
 RECONCILE_INTERVAL = 900
 
-ALREADY_LOADED = "service already loaded"
-NOT_LOADED = "Could not find specified service"
+# launchctl's tolerated-error strings vary by macOS version: pre-13 said "Could not
+# find specified service" / "service already loaded"; 13+ says "No such process" (exit 3)
+# for a not-loaded bootout. Tolerate every spelling so install/uninstall stay idempotent.
+ALREADY_LOADED = ("service already loaded", "service already bootstrapped")
+NOT_LOADED = ("Could not find specified service", "No such process")
 
 
 class ServiceError(Exception):
@@ -165,12 +168,12 @@ def agent_for(label: Label, program_args: Sequence[str]) -> AgentSpec:
             raise ServiceError(f"{label} runs {agent.command!r}, not {list(program_args)!r}")
 
 
-async def run_launchctl(*args: str, tolerate: str) -> None:
+async def run_launchctl(*args: str, tolerate: tuple[str, ...]) -> None:
     result = await anyio.run_process(["launchctl", *args], check=False)
     match result.returncode:
         case 0:
             return
-        case _ if tolerate in result.stderr.decode():
+        case _ if any(t in result.stderr.decode() for t in tolerate):
             return
         case code:
             raise ServiceError(f"launchctl {args[0]}: exit {code}: {result.stderr.decode().strip()}")

{cookiesync_cli-0.1.2 → cookiesync_cli-0.1.4}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "cookiesync-cli"
-version = "0.1.2"
+version = "0.1.4"
 description = "Sync your browser cookies across machines."
 readme = "README.md"
 license = "PolyForm-Noncommercial-1.0.0"