nssh: ntfy read deadlines + one-shot remote prep (#3)

## Summary

- Fix ntfy subscriber hanging on dead TCP sockets (overnight/sleep/NAT
rebind). Wrap the dialed `net.Conn` so every `Read` resets a 90s
deadline; ntfy's ~55s keepalives keep a healthy stream inside the
window, silence trips `i/o timeout` → reconnect.
- Collapse `checkRemoteVersion` + `writeRemoteSession` into a single
`bash -l -s` invocation (`prepareRemote`). Startup goes from 2 SSH
round-trips to 1 before the interactive session.
- Drop the now-unused `probeRemoteVersion`/`checkRemoteVersion` from
`infect.go`.

## Test plan

- [ ] `go build ./...` and `go test ./...` pass locally
- [ ] `nssh <host>` opens a session and the ntfy subscriber logs a
reconnect line if the network is bounced
- [ ] Leave a session idle > 2 minutes with no activity; clipboard still
works after
- [ ] Version-mismatch prompt still fires when the remote `nssh` is
outdated
- [ ] Missing-remote prompt still fires when `nssh` isn't installed on
the remote

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Medium risk because it changes the ntfy streaming transport behavior
and refactors remote session initialization/version probing into a new
single SSH invocation, which could affect connection reliability and
upgrade prompts.
> 
> **Overview**
> Improves reliability of the ntfy subscriber by dialing with TCP
keepalive, enforcing per-read deadlines (to detect zombie sockets), and
logging scanner errors before reconnecting.
> 
> Refactors remote startup so version probing, session file write, and
remote JSONL log seeding happen in one `bash -l` SSH call
(`prepareRemote`), and removes the now-redundant remote version-check
helpers from `infect.go`. Also updates README wording to better describe
`nssh`’s purpose.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
9af7c7e. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: abizer

README.md

@@ -1,7 +1,10 @@
 # nssh
 
-_Written by [Claude Opus 4.7](https://www.anthropic.com/news/claude-opus-4-7) via Claude Code_
+_Built with [Claude Opus 4.7](https://www.anthropic.com/news/claude-opus-4-7) via Claude Code_
 
+`nssh` bridges your local machine (macOS, primarily) to a headless Linux VM to
+let you use tools like `xdg-open` or `xclip` that otherwise require X and a display to work.
+ 
 Paste images into [Claude Code](https://claude.ai/claude-code) over SSH. Also bridges text clipboard, `xdg-open` URLs, and OAuth callbacks between remote sessions and your local machine — over SSH or mosh.
 
 ## The problem

cmd/nssh/infect.go

@@ -217,26 +217,6 @@ func downloadBinary(tag, goos, goarch string) (string, error) {
 	}
 }
 
-// probeRemoteVersion SSHes in (login shell for PATH) and runs `nssh --version`
-// on the remote. Returns the version string and whether nssh is installed.
-func probeRemoteVersion(sshTarget string) (ver string, installed bool) {
-	out, err := exec.Command("ssh", "-o", "BatchMode=yes", sshTarget,
-		`bash -l -c 'command -v nssh >/dev/null 2>&1 && nssh --version 2>&1 | head -1'`,
-	).Output()
-	if err != nil {
-		return "", false
-	}
-	line := strings.TrimSpace(string(out))
-	if line == "" {
-		return "", false
-	}
-	parts := strings.Fields(line)
-	if len(parts) < 2 {
-		return "", false
-	}
-	return parts[1], true
-}
-
 // promptYes returns true if stdin is a TTY and the user answers yes.
 func promptYes(msg string) bool {
 	stat, err := os.Stdin.Stat()
@@ -250,29 +230,6 @@ func promptYes(msg string) bool {
 	return resp == "y" || resp == "yes"
 }
 
-// checkRemoteVersion probes the remote's nssh version and warns if missing
-// or mismatched. Prompts to infect if on a TTY. Non-fatal on any error.
-func checkRemoteVersion(sshTarget string) {
-	localVer := version()
-	if !looksLikeSemver(localVer) {
-		return
-	}
-	remoteVer, installed := probeRemoteVersion(sshTarget)
-	if !installed {
-		fmt.Fprintln(os.Stderr, "nssh: not installed on remote — clipboard bridge will not work")
-		if promptYes("  install it now?") {
-			infectRemote(sshTarget, false)
-		}
-		return
-	}
-	if remoteVer != localVer {
-		fmt.Fprintf(os.Stderr, "nssh: remote version %s, local %s\n", remoteVer, localVer)
-		if promptYes("  update remote to " + localVer + "?") {
-			infectRemote(sshTarget, false)
-		}
-	}
-}
-
 // infectSelf sets up the local machine: creates persona symlinks in
 // ~/.local/bin pointing to the currently running nssh binary. Refuses on
 // desktop systems (unless force=true) since symlinking xclip/xdg-open/etc

cmd/nssh/main.go

@@ -24,11 +24,11 @@ import (
 
 var localhostRe = regexp.MustCompile(`(?:localhost|127\.0\.0\.1):(\d+)`)
 
-// writeRemoteSession writes the session file and seeds the log on the remote
-// host so the shim knows which ntfy server/topic to use, and so there's a
-// canonical "session opened" event before any shim fires. Runs one SSH command
-// before the interactive session starts.
-func writeRemoteSession(sshTarget string, cfg nsshConfig) {
+// prepareRemote probes the remote's nssh version and writes the session file +
+// seeds the JSONL log in a single SSH login-shell invocation. Returns the
+// remote nssh version, or "" if not installed / unreadable. Non-fatal on
+// errors — shim may still work with a pinned config.toml or no log at all.
+func prepareRemote(sshTarget string, cfg nsshConfig) string {
 	event := map[string]any{
 		"ts":      time.Now().UTC().Format(time.RFC3339Nano),
 		"event":   "session-open",
@@ -40,9 +40,15 @@ func writeRemoteSession(sshTarget string, cfg nsshConfig) {
 	}
 	eventJSON, _ := json.Marshal(event)
 
-	// Heredocs with quoted delimiters ('EOF') prevent any shell expansion
-	// inside, so TOML and JSON go through verbatim regardless of contents.
+	// bash -l so PATH includes ~/.local/bin even for non-interactive sessions.
+	// Heredocs with quoted delimiters ('EOF') prevent shell expansion inside,
+	// so TOML and JSON pass through verbatim regardless of contents.
 	script := fmt.Sprintf(`set -e
+if command -v nssh >/dev/null 2>&1; then
+  echo "NSSH_VERSION: $(nssh --version 2>/dev/null | head -1 | awk '{print $2}')"
+else
+  echo "NSSH_VERSION: none"
+fi
 dir="${XDG_STATE_HOME:-$HOME/.local/state}/nssh"
 mkdir -p "$dir"
 cat > "$dir/session" <<'NSSH_SESSION_EOF'
@@ -54,12 +60,26 @@ cat >> "$dir/nssh.%s.jsonl" <<'NSSH_LOG_EOF'
 NSSH_LOG_EOF
 `, cfg.Server, cfg.Topic, cfg.Topic, string(eventJSON))
 
-	cmd := exec.Command("ssh", "-o", "BatchMode=yes", sshTarget, "bash", "-s")
+	cmd := exec.Command("ssh", "-o", "BatchMode=yes", sshTarget, "bash", "-l", "-s")
 	cmd.Stdin = strings.NewReader(script)
-	if err := cmd.Run(); err != nil {
-		fmt.Fprintf(os.Stderr, "nssh: failed to write session config on remote: %v\n", err)
-		// Non-fatal — shim may still work if remote has a pinned config.toml.
+	cmd.Stderr = os.Stderr
+	out, err := cmd.Output()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "nssh: remote prepare: %v\n", err)
+		return ""
 	}
+	for _, line := range strings.Split(string(out), "\n") {
+		v, ok := strings.CutPrefix(line, "NSSH_VERSION: ")
+		if !ok {
+			continue
+		}
+		v = strings.TrimSpace(v)
+		if v == "" || v == "none" {
+			return ""
+		}
+		return v
+	}
+	return ""
 }
 
 func resolveShortHost(sshArgs []string) string {
@@ -177,10 +197,38 @@ func handleOpen(rawURL, sshTarget string) {
 	}
 }
 
+// deadlineConn wraps net.Conn to push the read deadline forward on every Read.
+// The ntfy server sends keepalive events every ~55s, so if no bytes arrive
+// for well past that window the connection is silently dead (laptop sleep, NAT
+// rebind, proxy drop) — the next Read returns i/o timeout and the subscriber
+// reconnects. Without this, Read can block forever on a zombie TCP socket.
+type deadlineConn struct {
+	net.Conn
+	period time.Duration
+}
+
+func (c *deadlineConn) Read(p []byte) (int, error) {
+	_ = c.Conn.SetReadDeadline(time.Now().Add(c.period))
+	return c.Conn.Read(p)
+}
+
 func subscribeNtfy(ctx context.Context, cfg nsshConfig, sshTarget string) {
 	topicURL := cfg.topicURL()
 	endpoint := topicURL + "/json"
-	client := &http.Client{}
+
+	dialer := &net.Dialer{KeepAlive: 15 * time.Second}
+	client := &http.Client{
+		Transport: &http.Transport{
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				conn, err := dialer.DialContext(ctx, network, addr)
+				if err != nil {
+					return nil, err
+				}
+				return &deadlineConn{Conn: conn, period: 90 * time.Second}, nil
+			},
+			ResponseHeaderTimeout: 30 * time.Second,
+		},
+	}
 
 	for {
 		if ctx.Err() != nil {
@@ -214,6 +262,9 @@ func subscribeNtfy(ctx context.Context, cfg nsshConfig, sshTarget string) {
 				go handleMessage(msg, topicURL, sshTarget)
 			}
 		}
+		if err := scanner.Err(); err != nil && ctx.Err() == nil {
+			fmt.Fprintf(os.Stderr, "nssh: ntfy stream ended (%v) — reconnecting\n", err)
+		}
 		resp.Body.Close()
 
 		select {
@@ -385,10 +436,6 @@ func nsshMain() {
 		return
 	}
 
-	// Version check before session starts — warns if the remote's nssh is
-	// missing or mismatched, offers to re-infect on TTY.
-	checkRemoteVersion(sshTarget)
-
 	cfg := loadConfig()
 	if cfg.Topic == "" {
 		cfg.Topic = generateTopic()
@@ -401,7 +448,23 @@ func nsshMain() {
 		"server": cfg.Server,
 	})
 
-	writeRemoteSession(sshTarget, cfg)
+	// One SSH login-shell to probe version, write the session file, and seed
+	// the remote JSONL log before the interactive session starts.
+	remoteVer := prepareRemote(sshTarget, cfg)
+	if localVer := version(); looksLikeSemver(localVer) {
+		switch {
+		case remoteVer == "":
+			fmt.Fprintln(os.Stderr, "nssh: not installed on remote — clipboard bridge will not work")
+			if promptYes("  install it now?") {
+				infectRemote(sshTarget, false)
+			}
+		case remoteVer != localVer:
+			fmt.Fprintf(os.Stderr, "nssh: remote version %s, local %s\n", remoteVer, localVer)
+			if promptYes("  update remote to " + localVer + "?") {
+				infectRemote(sshTarget, false)
+			}
+		}
+	}
 
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()