cinchcli-core 0.1.5

Shared client-side primitives for Cinch (cinchcli.com): generated wire DTOs, REST/WebSocket clients, AES-256-GCM + X25519 crypto, credential storage, local SQLite store, and sync helpers.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245

//! Stable per-machine identifier used to deduplicate device rows on the relay.
//!
//! The relay uses `machine_id` to recognize when the CLI and desktop on the
//! same Mac are signing in independently and should share a single device row
//! instead of producing two. The value is opaque (SHA-256 of the OS-provided
//! UUID, truncated to 16 hex chars) so the underlying hardware identifier is
//! never sent in cleartext.
//!
//! Sources by platform:
//!   macOS   — `IOPlatformUUID` via `ioreg -rd1 -c IOPlatformExpertDevice`
//!   Linux   — `/etc/machine-id` (or `/var/lib/dbus/machine-id` fallback)
//!   Windows — `HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid`
//!
//! Returns an empty string when the source is unavailable; callers treat that
//! the same as "no dedup hint" and the relay falls back to today's behavior.

use sha2::{Digest, Sha256};

/// Returns true if the current process appears to be running inside an SSH
/// session, based on the SSH_* environment variables OpenSSH's sshd sets
/// when forking a login shell. Suppresses browser auto-open and desktop
/// handoff during `cinch auth login`.
pub fn in_ssh_session() -> bool {
    std::env::var("SSH_CONNECTION").is_ok()
        || std::env::var("SSH_TTY").is_ok()
        || std::env::var("SSH_CLIENT").is_ok()
}

/// Returns the OS-level hostname via `gethostname(3)`, or `"unknown"` if the
/// syscall fails or yields an empty value. Identical on CLI and desktop so
/// the relay's source_key dedup matches across both clients on the same Mac.
pub fn hostname_or_unknown() -> String {
    hostname::get()
        .ok()
        .and_then(|os| os.into_string().ok())
        .filter(|s| !s.is_empty())
        .unwrap_or_else(|| "unknown".to_string())
}

/// Returns the `source` value used when this device pushes a clip.
///
/// Format: `remote:<hostname>`. Mirrors the format produced by
/// `cinch push` (see commands/push.rs). Used by `cinch pull --exclude-self`
/// and the underlying `--exclude-source` query so the relay can suppress
/// clips authored by the local device.
pub fn self_source_key() -> String {
    format!("remote:{}", hostname_or_unknown())
}

/// Returns a stable, opaque identifier for this machine, or an empty string
/// if no source is available. The value is suitable for sending to the relay
/// (no raw hardware ID) and is consistent across CLI and desktop on the same
/// machine.
pub fn stable_machine_id() -> String {
    match raw_machine_source() {
        Some(raw) if !raw.is_empty() => hash_short(&raw),
        _ => String::new(),
    }
}

fn hash_short(raw: &str) -> String {
    let digest = Sha256::digest(raw.as_bytes());
    let mut s = String::with_capacity(16);
    for b in &digest[..8] {
        s.push_str(&format!("{:02x}", b));
    }
    s
}

#[cfg(target_os = "macos")]
fn raw_machine_source() -> Option<String> {
    use std::process::Command;
    let out = Command::new("ioreg")
        .args(["-rd1", "-c", "IOPlatformExpertDevice"])
        .output()
        .ok()?;
    if !out.status.success() {
        return None;
    }
    let text = String::from_utf8_lossy(&out.stdout);
    for line in text.lines() {
        let trimmed = line.trim();
        if let Some(rest) = trimmed.strip_prefix("\"IOPlatformUUID\"") {
            // Format: "IOPlatformUUID" = "ABCD-..."
            if let Some(start) = rest.find('=') {
                let after = rest[start + 1..].trim();
                let unq = after.trim_matches('"');
                if !unq.is_empty() {
                    return Some(unq.to_string());
                }
            }
        }
    }
    None
}

#[cfg(target_os = "linux")]
fn raw_machine_source() -> Option<String> {
    for path in ["/etc/machine-id", "/var/lib/dbus/machine-id"] {
        if let Ok(s) = std::fs::read_to_string(path) {
            let v = s.trim();
            if !v.is_empty() {
                return Some(v.to_string());
            }
        }
    }
    None
}

#[cfg(target_os = "windows")]
fn raw_machine_source() -> Option<String> {
    use std::process::Command;
    let out = Command::new("reg")
        .args([
            "query",
            "HKLM\\SOFTWARE\\Microsoft\\Cryptography",
            "/v",
            "MachineGuid",
        ])
        .output()
        .ok()?;
    if !out.status.success() {
        return None;
    }
    let text = String::from_utf8_lossy(&out.stdout);
    for line in text.lines() {
        let trimmed = line.trim();
        if trimmed.starts_with("MachineGuid") {
            // Format: MachineGuid    REG_SZ    abcd-...
            let mut parts = trimmed.split_whitespace();
            let _ = parts.next(); // MachineGuid
            let _ = parts.next(); // REG_SZ
            if let Some(v) = parts.next() {
                if !v.is_empty() {
                    return Some(v.to_string());
                }
            }
        }
    }
    None
}

#[cfg(not(any(target_os = "macos", target_os = "linux", target_os = "windows")))]
fn raw_machine_source() -> Option<String> {
    None
}

#[cfg(test)]
mod tests {
    use super::*;
    use std::env;

    #[test]
    fn hash_is_16_hex_chars() {
        let h = hash_short("any-input");
        assert_eq!(h.len(), 16);
        assert!(h.chars().all(|c| c.is_ascii_hexdigit()));
    }

    #[test]
    fn hash_is_deterministic() {
        assert_eq!(hash_short("same"), hash_short("same"));
        assert_ne!(hash_short("a"), hash_short("b"));
    }

    fn with_env<F: FnOnce()>(vars: &[(&str, Option<&str>)], f: F) {
        let prev: Vec<_> = vars
            .iter()
            .map(|(k, _)| (k.to_string(), env::var(k).ok()))
            .collect();
        for (k, v) in vars {
            match v {
                Some(val) => env::set_var(k, val),
                None => env::remove_var(k),
            }
        }
        f();
        for (k, v) in prev {
            match v {
                Some(val) => env::set_var(&k, val),
                None => env::remove_var(&k),
            }
        }
    }

    #[test]
    fn ssh_connection_triggers() {
        with_env(
            &[
                ("SSH_CONNECTION", Some("1.2.3.4 22 5.6.7.8 22")),
                ("SSH_TTY", None),
                ("SSH_CLIENT", None),
            ],
            || assert!(in_ssh_session()),
        );
    }

    #[test]
    fn ssh_tty_triggers() {
        with_env(
            &[
                ("SSH_CONNECTION", None),
                ("SSH_TTY", Some("/dev/pts/0")),
                ("SSH_CLIENT", None),
            ],
            || assert!(in_ssh_session()),
        );
    }

    #[test]
    fn ssh_client_triggers() {
        with_env(
            &[
                ("SSH_CONNECTION", None),
                ("SSH_TTY", None),
                ("SSH_CLIENT", Some("1.2.3.4 22 22")),
            ],
            || assert!(in_ssh_session()),
        );
    }

    #[test]
    fn no_ssh_env_returns_false() {
        with_env(
            &[
                ("SSH_CONNECTION", None),
                ("SSH_TTY", None),
                ("SSH_CLIENT", None),
            ],
            || assert!(!in_ssh_session()),
        );
    }

    #[test]
    fn self_source_key_matches_push_format() {
        let key = self_source_key();
        let host = hostname_or_unknown();
        assert_eq!(key, format!("remote:{}", host));
    }

    #[test]
    fn self_source_key_has_remote_prefix() {
        assert!(self_source_key().starts_with("remote:"));
    }
}