second-brain-sync 0.4.0

Bidirectional sync for second-brain: SSH transport, JSONL change log, conflict resolution
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

use std::collections::HashSet;
use std::ffi::OsString;
use std::fs;
use std::io::Write;
use std::os::unix::fs::{OpenOptionsExt, PermissionsExt};
use std::path::{Path, PathBuf};

use anyhow::{Context, Result};
use second_brain_core::machine::MachineIdentity;

pub fn known_hosts_path_in(config_dir: &Path) -> PathBuf {
    config_dir.join("known_hosts")
}

pub fn known_hosts_path() -> Result<PathBuf> {
    Ok(known_hosts_path_in(&MachineIdentity::config_dir()?))
}

#[derive(Debug, Clone, PartialEq, Eq)]
pub struct KeyscanLine {
    pub host: String,
    pub key_type: String,
    pub public_key: String,
}

pub fn parse_keyscan_output(raw: &str) -> Vec<KeyscanLine> {
    raw.lines()
        .filter_map(|line| {
            let line = line.trim();
            if line.is_empty() || line.starts_with('#') {
                return None;
            }
            let mut parts = line.split_whitespace();
            let host = parts.next()?;
            let key_type = parts.next()?;
            let public_key = parts.next()?;
            Some(KeyscanLine {
                host: host.to_string(),
                key_type: key_type.to_string(),
                public_key: public_key.to_string(),
            })
        })
        .collect()
}

pub fn compose_known_host_entry(line: &KeyscanLine) -> String {
    format!("{} {} {}\n", line.host, line.key_type, line.public_key)
}

pub fn append_known_host(path: &Path, lines: &[KeyscanLine]) -> Result<()> {
    if let Some(parent) = path.parent()
        && !parent.as_os_str().is_empty()
    {
        fs::create_dir_all(parent).context("creating known_hosts parent dir")?;
    }

    let existing = match fs::read_to_string(path) {
        Ok(s) => s,
        Err(e) if e.kind() == std::io::ErrorKind::NotFound => String::new(),
        Err(e) => return Err(e).context("reading known_hosts"),
    };
    let already: HashSet<&str> = existing
        .lines()
        .map(str::trim)
        .filter(|l| !l.is_empty())
        .collect();

    let mut file = fs::OpenOptions::new()
        .create(true)
        .append(true)
        .mode(0o600)
        .open(path)
        .context("opening known_hosts for append")?;

    for line in lines {
        let entry = compose_known_host_entry(line);
        if already.contains(entry.trim_end()) {
            continue;
        }
        file.write_all(entry.as_bytes())
            .context("writing known_hosts entry")?;
    }

    // because OpenOptions::mode only applies on file creation, tighten unconditionally
    // so an existing permissive file is corrected on first append.
    fs::set_permissions(path, fs::Permissions::from_mode(0o600))
        .context("setting known_hosts mode 0600")?;

    Ok(())
}

pub fn untrusted_host_hint(host: &str) -> String {
    format!(
        "if ssh reported a host-key error, the host is not in ~/.second-brain/known_hosts yet — \
         run `sb sync trust {host}` to verify and pin its fingerprint."
    )
}

pub fn ssh_args(known_hosts: &Path) -> Vec<OsString> {
    let mut user_kh = OsString::from("UserKnownHostsFile=");
    user_kh.push(known_hosts);

    vec![
        OsString::from("-o"),
        OsString::from("StrictHostKeyChecking=yes"),
        OsString::from("-o"),
        user_kh,
        OsString::from("-o"),
        OsString::from("GlobalKnownHostsFile=/dev/null"),
        OsString::from("-o"),
        OsString::from("ServerAliveInterval=30"),
    ]
}