@caoruhua/open-claude-remote 0.1.0

package/dist/auth/auth-middleware.js

@@ -0,0 +1,124 @@
+import { timingSafeEqual } from 'node:crypto';
+import * as cookie from 'cookie';
+import { generateSessionId } from './token-generator.js';
+import { RateLimiter } from './rate-limiter.js';
+import { logger } from '../logger/logger.js';
+/**
+ * Authentication module managing token verification, session cookies, and rate limiting.
+ */
+export class AuthModule {
+    token;
+    sessionTtlMs;
+    cookieName;
+    sessions = new Map();
+    rateLimiter;
+    constructor(options) {
+        this.token = options.token;
+        this.sessionTtlMs = options.sessionTtlMs;
+        this.cookieName = options.cookieName;
+        this.rateLimiter = new RateLimiter(options.rateLimitPerMinute);
+    }
+    /**
+     * Verify a token using timing-safe comparison.
+     */
+    verifyToken(candidate) {
+        const a = Buffer.from(this.token);
+        const b = Buffer.from(candidate);
+        if (a.length !== b.length)
+            return false;
+        return timingSafeEqual(a, b);
+    }
+    /**
+     * Create a new session and return the session ID.
+     */
+    createSession(ip) {
+        const sessionId = generateSessionId();
+        this.sessions.set(sessionId, { createdAt: Date.now(), ip });
+        logger.info({ ip }, 'Session created');
+        return sessionId;
+    }
+    /**
+     * Validate a session ID. Returns true if valid and not expired.
+     */
+    validateSession(sessionId) {
+        const entry = this.sessions.get(sessionId);
+        if (!entry)
+            return false;
+        if (Date.now() - entry.createdAt > this.sessionTtlMs) {
+            this.sessions.delete(sessionId);
+            return false;
+        }
+        return true;
+    }
+    /**
+     * Extract session ID from request cookies.
+     */
+    getSessionFromRequest(req) {
+        const cookies = cookie.parse(req.headers.cookie ?? '');
+        return cookies[this.cookieName] ?? null;
+    }
+    /**
+     * Extract session ID from a raw cookie header string.
+     */
+    getSessionFromCookieHeader(cookieHeader) {
+        const cookies = cookie.parse(cookieHeader);
+        return cookies[this.cookieName] ?? null;
+    }
+    getCookieName() {
+        return this.cookieName;
+    }
+    /**
+     * Express middleware that protects routes with session auth.
+     */
+    requireAuth = (req, res, next) => {
+        const sessionId = this.getSessionFromRequest(req);
+        const isValid = sessionId ? this.validateSession(sessionId) : false;
+        if (!isValid) {
+            logger.warn({
+                path: req.path,
+                instanceCookieName: this.cookieName,
+                hasSessionCookie: Boolean(sessionId),
+                sessionFound: Boolean(sessionId && this.sessions.has(sessionId)),
+            }, 'Auth rejected: invalid session');
+            res.status(401).json({ error: 'Unauthorized' });
+            return;
+        }
+        next();
+    };
+    /**
+     * Handle auth POST (verify token, create session, return cookie).
+     */
+    handleAuth = (req, res) => {
+        const ip = req.ip ?? req.socket.remoteAddress ?? 'unknown';
+        if (!this.rateLimiter.attempt(ip)) {
+            logger.warn({ ip }, 'Auth rate limit hit');
+            res.status(429).json({ error: 'Too many attempts. Try again later.' });
+            return;
+        }
+        const { token } = req.body;
+        if (!token || !this.verifyToken(token)) {
+            logger.warn({ ip }, 'Auth failed: invalid token');
+            res.status(401).json({ error: 'Invalid token' });
+            return;
+        }
+        const sessionId = this.createSession(ip);
+        // Reset rate limiter on successful auth - user has proven they know the token
+        this.rateLimiter.reset(ip);
+        res.setHeader('Set-Cookie', cookie.serialize(this.cookieName, sessionId, {
+            httpOnly: true,
+            secure: req.protocol === 'https',
+            sameSite: 'lax',
+            path: '/',
+            maxAge: Math.floor(this.sessionTtlMs / 1000),
+        }));
+        logger.info({ ip, instanceCookieName: this.cookieName }, 'Auth successful');
+        res.json({ ok: true });
+    };
+    /**
+     * Cleanup resources.
+     */
+    destroy() {
+        this.rateLimiter.destroy();
+    }
+}
+//# sourceMappingURL=auth-middleware.js.map

package/dist/auth/auth-middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-middleware.js","sourceRoot":"","sources":["../../src/auth/auth-middleware.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC9C,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AACjC,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAc7C;;GAEG;AACH,MAAM,OAAO,UAAU;IACJ,KAAK,CAAS;IACd,YAAY,CAAS;IACrB,UAAU,CAAS;IACnB,QAAQ,GAA8B,IAAI,GAAG,EAAE,CAAC;IAChD,WAAW,CAAc;IAE1C,YAAY,OAA0B;QACpC,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC3B,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;QACzC,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QACrC,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACjE,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,SAAiB;QAC3B,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAClC,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACjC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QACxC,OAAO,eAAe,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAC/B,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,EAAU;QACtB,MAAM,SAAS,GAAG,iBAAiB,EAAE,CAAC;QACtC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;QAC5D,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,iBAAiB,CAAC,CAAC;QACvC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,SAAiB;QAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC3C,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QACzB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;YACrD,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAChC,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,qBAAqB,CAAC,GAAY;QAChC,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;QACvD,OAAO,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC;IAC1C,CAAC;IAED;;OAEG;IACH,0BAA0B,CAAC,YAAoB;QAC7C,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QAC3C,OAAO,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC;IAC1C,CAAC;IAED,aAAa;QACX,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,WAAW,GAAG,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QACtE,MAAM,SAAS,GAAG,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC;QAClD,MAAM,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;QACpE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,kBAAkB,EAAE,IAAI,CAAC,UAAU;gBACnC,gBAAgB,EAAE,OAAO,CAAC,SAAS,CAAC;gBACpC,YAAY,EAAE,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;aACjE,EAAE,gCAAgC,CAAC,CAAC;YACrC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAChD,OAAO;QACT,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;IAEF;;OAEG;IACH,UAAU,GAAG,CAAC,GAAY,EAAE,GAAa,EAAQ,EAAE;QACjD,MAAM,EAAE,GAAG,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,SAAS,CAAC;QAE3D,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC;YAClC,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,qBAAqB,CAAC,CAAC;YAC3C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,qCAAqC,EAAE,CAAC,CAAC;YACvE,OAAO;QACT,CAAC;QAED,MAAM,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC,IAA0B,CAAC;QACjD,IAAI,CAAC,KAAK,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;YACvC,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,4BAA4B,CAAC,CAAC;YAClD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;YACjD,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;QAEzC,8EAA8E;QAC9E,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAE3B,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,EAAE;YACvE,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,GAAG,CAAC,QAAQ,KAAK,OAAO;YAChC,QAAQ,EAAE,KAAK;YACf,IAAI,EAAE,GAAG;YACT,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;SAC7C,CAAC,CAAC,CAAC;QAEJ,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,kBAAkB,EAAE,IAAI,CAAC,UAAU,EAAE,EAAE,iBAAiB,CAAC,CAAC;QAC5E,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IACzB,CAAC,CAAC;IAEF;;OAEG;IACH,OAAO;QACL,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;IAC7B,CAAC;CACF"}

package/dist/auth/rate-limiter.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Simple in-memory rate limiter per IP.
+ * Window: 1 minute. Configurable max attempts.
+ *
+ * 多实例限制：各实例独立计数，不共享状态。
+ * 在多实例场景下，同一 IP 的有效总尝试次数 = maxAttempts × 实例数。
+ * 这在实际场景中可接受：token 为 256 位（64 hex chars），暴力破解不可行。
+ */
+export declare class RateLimiter {
+    private entries;
+    private readonly maxAttempts;
+    private readonly windowMs;
+    private cleanupTimer;
+    constructor(maxAttempts?: number, windowMs?: number);
+    /**
+     * Check if an IP is allowed. Returns true if allowed, false if rate limited.
+     * Automatically increments the counter.
+     */
+    attempt(ip: string): boolean;
+    /**
+     * Get remaining attempts for an IP.
+     */
+    remaining(ip: string): number;
+    /**
+     * Clean up expired entries.
+     */
+    private cleanup;
+    /**
+     * Reset rate limit counter for an IP (e.g., after successful auth).
+     */
+    reset(ip: string): void;
+    /**
+     * Stop cleanup timer.
+     */
+    destroy(): void;
+}
+//# sourceMappingURL=rate-limiter.d.ts.map

package/dist/auth/rate-limiter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.d.ts","sourceRoot":"","sources":["../../src/auth/rate-limiter.ts"],"names":[],"mappings":"AAOA;;;;;;;GAOG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,OAAO,CAA0C;IACzD,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,YAAY,CAA+C;gBAEvD,WAAW,GAAE,MAAU,EAAE,QAAQ,GAAE,MAAe;IAW9D;;;OAGG;IACH,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAmB5B;;OAEG;IACH,SAAS,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM;IAO7B;;OAEG;IACH,OAAO,CAAC,OAAO;IASf;;OAEG;IACH,KAAK,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI;IAIvB;;OAEG;IACH,OAAO,IAAI,IAAI;CAMhB"}

package/dist/auth/rate-limiter.js

@@ -0,0 +1,81 @@
+import { logger } from '../logger/logger.js';
+/**
+ * Simple in-memory rate limiter per IP.
+ * Window: 1 minute. Configurable max attempts.
+ *
+ * 多实例限制：各实例独立计数，不共享状态。
+ * 在多实例场景下，同一 IP 的有效总尝试次数 = maxAttempts × 实例数。
+ * 这在实际场景中可接受：token 为 256 位（64 hex chars），暴力破解不可行。
+ */
+export class RateLimiter {
+    entries = new Map();
+    maxAttempts;
+    windowMs;
+    cleanupTimer = null;
+    constructor(maxAttempts = 5, windowMs = 60_000) {
+        this.maxAttempts = maxAttempts;
+        this.windowMs = windowMs;
+        // Periodic cleanup of stale entries
+        this.cleanupTimer = setInterval(() => this.cleanup(), windowMs * 2);
+        // Don't block process exit
+        if (this.cleanupTimer.unref) {
+            this.cleanupTimer.unref();
+        }
+    }
+    /**
+     * Check if an IP is allowed. Returns true if allowed, false if rate limited.
+     * Automatically increments the counter.
+     */
+    attempt(ip) {
+        const now = Date.now();
+        const entry = this.entries.get(ip);
+        if (!entry || now >= entry.resetAt) {
+            // First attempt or window expired
+            this.entries.set(ip, { count: 1, resetAt: now + this.windowMs });
+            return true;
+        }
+        entry.count++;
+        if (entry.count > this.maxAttempts) {
+            logger.warn({ ip, count: entry.count, maxAttempts: this.maxAttempts }, 'Rate limit exceeded');
+            return false;
+        }
+        return true;
+    }
+    /**
+     * Get remaining attempts for an IP.
+     */
+    remaining(ip) {
+        const now = Date.now();
+        const entry = this.entries.get(ip);
+        if (!entry || now >= entry.resetAt)
+            return this.maxAttempts;
+        return Math.max(0, this.maxAttempts - entry.count);
+    }
+    /**
+     * Clean up expired entries.
+     */
+    cleanup() {
+        const now = Date.now();
+        for (const [ip, entry] of this.entries) {
+            if (now >= entry.resetAt) {
+                this.entries.delete(ip);
+            }
+        }
+    }
+    /**
+     * Reset rate limit counter for an IP (e.g., after successful auth).
+     */
+    reset(ip) {
+        this.entries.delete(ip);
+    }
+    /**
+     * Stop cleanup timer.
+     */
+    destroy() {
+        if (this.cleanupTimer) {
+            clearInterval(this.cleanupTimer);
+            this.cleanupTimer = null;
+        }
+    }
+}
+//# sourceMappingURL=rate-limiter.js.map

package/dist/auth/rate-limiter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.js","sourceRoot":"","sources":["../../src/auth/rate-limiter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAO7C;;;;;;;GAOG;AACH,MAAM,OAAO,WAAW;IACd,OAAO,GAAgC,IAAI,GAAG,EAAE,CAAC;IACxC,WAAW,CAAS;IACpB,QAAQ,CAAS;IAC1B,YAAY,GAA0C,IAAI,CAAC;IAEnE,YAAY,cAAsB,CAAC,EAAE,WAAmB,MAAM;QAC5D,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,oCAAoC;QACpC,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC;QACpE,2BAA2B;QAC3B,IAAI,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;YAC5B,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;QAC5B,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,OAAO,CAAC,EAAU;QAChB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEnC,IAAI,CAAC,KAAK,IAAI,GAAG,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;YACnC,kCAAkC;YAClC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YACjE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,KAAK,CAAC,KAAK,EAAE,CAAC;QACd,IAAI,KAAK,CAAC,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,EAAE,qBAAqB,CAAC,CAAC;YAC9F,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,EAAU;QAClB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK,IAAI,GAAG,IAAI,KAAK,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC,WAAW,CAAC;QAC5D,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC;IACrD,CAAC;IAED;;OAEG;IACK,OAAO;QACb,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACvC,IAAI,GAAG,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;gBACzB,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,EAAU;QACd,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,OAAO;QACL,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,aAAa,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YACjC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QAC3B,CAAC;IACH,CAAC;CACF"}

package/dist/auth/token-generator.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Generate a random hex token for authentication.
+ */
+export declare function generateToken(): string;
+/**
+ * Generate a random session ID.
+ */
+export declare function generateSessionId(): string;
+//# sourceMappingURL=token-generator.d.ts.map

package/dist/auth/token-generator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-generator.d.ts","sourceRoot":"","sources":["../../src/auth/token-generator.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C"}

package/dist/auth/token-generator.js

@@ -0,0 +1,15 @@
+import { randomBytes } from 'node:crypto';
+import { TOKEN_BYTES, SESSION_ID_BYTES } from '../../shared-dist/index.js';
+/**
+ * Generate a random hex token for authentication.
+ */
+export function generateToken() {
+    return randomBytes(TOKEN_BYTES).toString('hex');
+}
+/**
+ * Generate a random session ID.
+ */
+export function generateSessionId() {
+    return randomBytes(SESSION_ID_BYTES).toString('hex');
+}
+//# sourceMappingURL=token-generator.js.map

package/dist/auth/token-generator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-generator.js","sourceRoot":"","sources":["../../src/auth/token-generator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAEtE;;GAEG;AACH,MAAM,UAAU,aAAa;IAC3B,OAAO,WAAW,CAAC,WAAW,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAClD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,WAAW,CAAC,gBAAgB,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACvD,CAAC"}

package/dist/cli-utils.d.ts

@@ -0,0 +1,19 @@
+/**
+ * CLI 参数解析工具函数
+ *
+ * 从 cli.ts 提取出来，避免 cli.ts 有静态 import。
+ */
+export interface CliOptions {
+    port?: number;
+    host?: string;
+    token?: string;
+    name?: string;
+    help: boolean;
+    noTerminal: boolean;
+    claudeArgs: string[];
+    /** attach 子命令 */
+    attach?: string;
+}
+export declare function parseCliArgs(argv: string[]): CliOptions;
+export declare function showHelp(): void;
+//# sourceMappingURL=cli-utils.d.ts.map

package/dist/cli-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli-utils.d.ts","sourceRoot":"","sources":["../src/cli-utils.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,WAAW,UAAU;IACzB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,OAAO,CAAC;IACd,UAAU,EAAE,OAAO,CAAC;IACpB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,iBAAiB;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAaD,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,UAAU,CAkEvD;AAED,wBAAgB,QAAQ,IAAI,IAAI,CA0C/B"}

package/dist/cli-utils.js

@@ -0,0 +1,132 @@
+/**
+ * CLI 参数解析工具函数
+ *
+ * 从 cli.ts 提取出来，避免 cli.ts 有静态 import。
+ */
+function parsePort(raw) {
+    if (!raw || !/^\d+$/.test(raw)) {
+        throw new Error('--port requires a numeric value');
+    }
+    const port = Number(raw);
+    if (!Number.isInteger(port) || port < 1 || port > 65535) {
+        throw new Error('--port must be between 1 and 65535');
+    }
+    return port;
+}
+export function parseCliArgs(argv) {
+    const options = {
+        help: false,
+        noTerminal: false,
+        claudeArgs: [],
+    };
+    let i = 2; // Skip 'node' and script path
+    // 检查子命令
+    if (argv.length > 2) {
+        const firstArg = argv[2];
+        if (firstArg === 'attach') {
+            if (argv.length <= 3) {
+                throw new Error('attach 命令需要指定目标实例（端口或名称）');
+            }
+            options.attach = argv[3];
+            return options;
+        }
+    }
+    while (i < argv.length) {
+        const arg = argv[i];
+        if (arg === '--help' || arg === '-h') {
+            options.help = true;
+            i++;
+        }
+        else if (arg === '--no-terminal') {
+            options.noTerminal = true;
+            i++;
+        }
+        else if (arg === '--port') {
+            options.port = parsePort(argv[++i]);
+            i++;
+        }
+        else if (arg === '--host') {
+            options.host = argv[++i];
+            i++;
+        }
+        else if (arg === '--token') {
+            options.token = argv[++i];
+            i++;
+        }
+        else if (arg === '--name') {
+            options.name = argv[++i];
+            i++;
+        }
+        else if (arg === '--') {
+            // Stop parsing, pass all remaining args to claude
+            options.claudeArgs.push(...argv.slice(i + 1));
+            break;
+        }
+        else if (arg.startsWith('--port=')) {
+            options.port = parsePort(arg.split('=')[1]);
+            i++;
+        }
+        else if (arg.startsWith('--host=')) {
+            options.host = arg.split('=')[1];
+            i++;
+        }
+        else if (arg.startsWith('--token=')) {
+            options.token = arg.split('=')[1];
+            i++;
+        }
+        else if (arg.startsWith('--name=')) {
+            options.name = arg.split('=')[1];
+            i++;
+        }
+        else {
+            // Unknown arg: pass to claude
+            options.claudeArgs.push(arg);
+            i++;
+        }
+    }
+    return options;
+}
+export function showHelp() {
+    console.log(`
+Claude Code Remote - 在局域网内通过手机远程控制 Claude Code
+
+用法：
+  claude-remote [options] [--] [claude args...]
+  claude-remote attach <port|name>  # 接管指定实例
+
+代理层选项：
+  --port <number>      服务端口 (默认: 3000, 被占用时自动递增)
+  --host <ip>          绑定地址 (默认: 自动检测 LAN IP)
+  --token <string>     认证 Token (默认: 共享 Token)
+  --name <string>      实例名称 (默认: 工作目录名)
+  --no-terminal        无终端模式（web 创建的实例使用）
+  --help, -h           显示帮助信息
+
+配置文件：
+  ~/.claude-remote/config.json  用户配置文件 (JSON 格式)
+
+  可配置项：
+    port            服务端口
+    host            绑定地址
+    token           固定 Token (覆盖共享 Token)
+    instanceName    实例名称
+    claudeCommand   Claude CLI 命令路径 (默认: claude)
+    claudeCwd       Claude 工作目录 (默认: 当前目录)
+    claudeArgs      Claude CLI 额外参数 (数组)
+    maxBufferLines  输出缓冲区行数 (默认: 10000)
+    workspaces      预设工作目录列表 (数组)
+    defaultClaudeArgs 默认 Claude 参数 (数组)
+
+示例：
+  claude-remote                    # 启动 Claude Code
+  claude-remote chat               # 启动 Claude Code 并进入 chat 模式
+  claude-remote --port 8080        # 使用端口 8080
+  claude-remote --name api         # 自定义实例名称
+  claude-remote -- --dangerously-skip-permissions  # 透传参数给 claude
+  claude-remote attach 3001        # 接管端口 3001 的实例
+  claude-remote attach myproject   # 接管名为 myproject 的实例
+
+更多 Claude Code 选项请运行：claude --help
+`);
+}
+//# sourceMappingURL=cli-utils.js.map

package/dist/cli-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli-utils.js","sourceRoot":"","sources":["../src/cli-utils.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAcH,SAAS,SAAS,CAAC,GAAuB;IACxC,IAAI,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IACzB,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,KAAK,EAAE,CAAC;QACxD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,IAAc;IACzC,MAAM,OAAO,GAAe;QAC1B,IAAI,EAAE,KAAK;QACX,UAAU,EAAE,KAAK;QACjB,UAAU,EAAE,EAAE;KACf,CAAC;IAEF,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,8BAA8B;IAEzC,QAAQ;IACR,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpB,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACzB,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;gBACrB,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;YAC9C,CAAC;YACD,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;YACzB,OAAO,OAAO,CAAC;QACjB,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAEpB,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YACrC,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;YACpB,CAAC,EAAE,CAAC;QACN,CAAC;aAAM,IAAI,GAAG,KAAK,eAAe,EAAE,CAAC;YACnC,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;YAC1B,CAAC,EAAE,CAAC;QACN,CAAC;aAAM,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YACpC,CAAC,EAAE,CAAC;QACN,CAAC;aAAM,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YACzB,CAAC,EAAE,CAAC;QACN,CAAC;aAAM,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YAC7B,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YAC1B,CAAC,EAAE,CAAC;QACN,CAAC;aAAM,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YACzB,CAAC,EAAE,CAAC;QACN,CAAC;aAAM,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YACxB,kDAAkD;YAClD,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC9C,MAAM;QACR,CAAC;aAAM,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACrC,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC5C,CAAC,EAAE,CAAC;QACN,CAAC;aAAM,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACrC,OAAO,CAAC,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACjC,CAAC,EAAE,CAAC;QACN,CAAC;aAAM,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YACtC,OAAO,CAAC,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAClC,CAAC,EAAE,CAAC;QACN,CAAC;aAAM,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACrC,OAAO,CAAC,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACjC,CAAC,EAAE,CAAC;QACN,CAAC;aAAM,CAAC;YACN,8BAA8B;YAC9B,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC7B,CAAC,EAAE,CAAC;QACN,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,QAAQ;IACtB,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAwCb,CAAC,CAAC;AACH,CAAC"}

package/dist/cli.d.ts

@@ -0,0 +1,21 @@
+#!/usr/bin/env node
+/**
+ * claude-remote CLI entry point
+ *
+ * 用法：
+ *   claude-remote [options] [--] [claude args...]
+ *   claude-remote attach <port|name>
+ *
+ * 代理层选项：
+ *   --port <number>      服务端口 (默认: 3000, 被占用时自动递增)
+ *   --host <ip>          绑定地址 (默认: 自动检测 LAN IP)
+ *   --token <string>     认证 Token (默认: 共享 Token)
+ *   --name <string>      实例名称 (默认: 工作目录名)
+ *   --help, -h           显示帮助信息
+ *
+ * 其他所有参数透传给 claude 命令。
+ *
+ * 注意：此文件不能有任何静态 import，因为 ESM 会提升它们到模块顶部执行，
+ * 导致 CLI_MODE 设置在 logger 模块加载之后才生效。
+ */
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;GAkBG"}

package/dist/cli.js

@@ -0,0 +1,58 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * claude-remote CLI entry point
+ *
+ * 用法：
+ *   claude-remote [options] [--] [claude args...]
+ *   claude-remote attach <port|name>
+ *
+ * 代理层选项：
+ *   --port <number>      服务端口 (默认: 3000, 被占用时自动递增)
+ *   --host <ip>          绑定地址 (默认: 自动检测 LAN IP)
+ *   --token <string>     认证 Token (默认: 共享 Token)
+ *   --name <string>      实例名称 (默认: 工作目录名)
+ *   --help, -h           显示帮助信息
+ *
+ * 其他所有参数透传给 claude 命令。
+ *
+ * 注意：此文件不能有任何静态 import，因为 ESM 会提升它们到模块顶部执行，
+ * 导致 CLI_MODE 设置在 logger 模块加载之后才生效。
+ */
+// 必须在任何模块加载之前设置 CLI_MODE，因为 logger.ts 在模块顶层读取此变量
+process.env.CLI_MODE = 'true';
+// 所有模块必须使用动态 import
+void (async () => {
+    const { fileURLToPath } = await import('node:url');
+    const { parseCliArgs, showHelp } = await import('./cli-utils.js');
+    const options = parseCliArgs(process.argv);
+    if (options.help) {
+        showHelp();
+        process.exit(0);
+    }
+    // 处理 attach 子命令
+    if (options.attach) {
+        const { attachInstance } = await import('./attach.js');
+        await attachInstance({ target: options.attach });
+        return;
+    }
+    // Set NO_TERMINAL flag for headless mode
+    if (options.noTerminal) {
+        process.env.NO_TERMINAL = 'true';
+    }
+    // 动态导入 CliOverrides 类型（仅类型，编译后会移除）
+    const { loadConfig, createSessionCookieName } = await import('./config.js');
+    // Build CLI overrides for config
+    const cliOverrides = {
+        port: options.port,
+        host: options.host,
+        token: options.token,
+        instanceName: options.name,
+        claudeArgs: options.claudeArgs.length > 0 ? options.claudeArgs : undefined,
+        noTerminal: options.noTerminal,
+    };
+    // 动态加载 startServer
+    const { startServer } = await import('./index.js');
+    await startServer(cliOverrides);
+})();
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";;AACA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,iDAAiD;AACjD,OAAO,CAAC,GAAG,CAAC,QAAQ,GAAG,MAAM,CAAC;AAE9B,oBAAoB;AACpB,KAAK,CAAC,KAAK,IAAI,EAAE;IACf,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;IAEnD,MAAM,EAAE,YAAY,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAElE,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAE3C,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;QACjB,QAAQ,EAAE,CAAC;QACX,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,gBAAgB;IAChB,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QACvD,MAAM,cAAc,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QACjD,OAAO;IACT,CAAC;IAED,yCAAyC;IACzC,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,OAAO,CAAC,GAAG,CAAC,WAAW,GAAG,MAAM,CAAC;IACnC,CAAC;IAED,mCAAmC;IACnC,MAAM,EAAE,UAAU,EAAE,uBAAuB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;IAE5E,iCAAiC;IACjC,MAAM,YAAY,GAAG;QACnB,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,YAAY,EAAE,OAAO,CAAC,IAAI;QAC1B,UAAU,EAAE,OAAO,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;QAC1E,UAAU,EAAE,OAAO,CAAC,UAAU;KAC/B,CAAC;IAEF,mBAAmB;IACnB,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAC;IACnD,MAAM,WAAW,CAAC,YAAY,CAAC,CAAC;AAClC,CAAC,CAAC,EAAE,CAAC"}