@idl3/claude-control 0.1.0 → 0.1.2

package/README.md

@@ -4,7 +4,8 @@ A tiny, local web UI to **watch and drive your Claude Code sessions from a
 browser or phone**. It discovers the Claude sessions you already run inside
 **tmux**, streams each session's transcript live, lets you reply, answer
 `AskUserQuestion` prompts, attach screenshots/files, and capture the pane — all
-over `127.0.0.1` (or your Tailscale tailnet), guarded by a token.
+over `127.0.0.1` (or your Tailscale tailnet), behind an optional token you enter
+in-app (never in the URL).
 
 No daemon to babysit, no database: it reads Claude Code's transcript files and
 talks to tmux. Bind is localhost-only by default.
@@ -17,7 +18,7 @@ talks to tmux. Bind is localhost-only by default.
 npm install -g @idl3/claude-control     # or run once: npx @idl3/claude-control
 ```
 
-**Prerequisites:** Node ≥20 and **tmux** on your `PATH` (`brew install tmux` · `sudo apt install tmux`). The web UI ships prebuilt — no build step on install.
+**Prerequisites:** Node ≥20 and **tmux** on your `PATH` (`brew install tmux` · `sudo apt install tmux`). Optional: **ttyd** for the in-browser raw terminal (`brew install ttyd` · `sudo apt install ttyd`) — set `CLAUDE_CONTROL_TTYD` to override its path. The web UI ships prebuilt — no build step on install.
 
 ```bash
 claude-control                    # start the server (prints the URL)
@@ -40,11 +41,13 @@ git clone https://github.com/idl3/claude-control.git
 cd claude-control
 npm install
 npm run build        # builds the web UI (web/dist)
-npm start            # prints a URL with a token
+npm start            # prints the URL
 ```
 
-Open the printed URL (e.g. `http://127.0.0.1:4317/?token=…`). Any Claude Code
-session running in tmux shows up in the left rail.
+Open the printed URL (e.g. `http://127.0.0.1:4317/`). If a token is configured,
+the app prompts for it on first load and remembers it in your browser — it's
+never put in the URL. Any Claude Code session running in tmux shows up in the
+left rail.
 
 > **Already have tmux running with Claude sessions?** You're done — just run
 > `npm start` and they appear automatically.
@@ -104,7 +107,7 @@ All optional. Prefer `CLAUDE_CONTROL_*`; legacy `COCKPIT_*` names still work.
 |---|---|---|
 | `CLAUDE_CONTROL_PORT` | `4317` | HTTP/WS port |
 | `CLAUDE_CONTROL_HOST` | `127.0.0.1` | Bind address |
-| `CLAUDE_CONTROL_TOKEN` | _(none)_ | Require `?token=` on every request (recommended if exposed beyond localhost) |
+| `CLAUDE_CONTROL_TOKEN` | _(none)_ | Access token. Also read from `~/.claude-control/token`. Sent as `Authorization: Bearer` (HTTP) / WS subprotocol — never in the URL. Unset **and** no file ⇒ tokenless. |
 | `CLAUDE_CONTROL_PROJECTS` | `~/.claude/projects` | Where Claude Code transcripts live |
 | `CLAUDE_CONTROL_UPLOADS` | `~/.claude-control/uploads` | Where attachments are stored (TTL-swept) |
 | `CLAUDE_CONTROL_TMUX` | _(auto)_ | tmux binary override |
@@ -115,8 +118,20 @@ All optional. Prefer `CLAUDE_CONTROL_*`; legacy `COCKPIT_*` names still work.
 ## Security
 
 - Binds `127.0.0.1` by default; cross-origin WebSocket upgrades are rejected.
-- Set `CLAUDE_CONTROL_TOKEN` before exposing it (e.g. via `tailscale serve`) —
-  **this UI can type into your live sessions.**
+- **Token auth** — strongly recommended before exposing it (e.g. via
+  `tailscale serve`): *this UI can type into your live sessions.* The token is
+  resolved in order from `CLAUDE_CONTROL_TOKEN`, else the file
+  `~/.claude-control/token` (mode `0600`). With neither set it runs **tokenless**
+  (open to anything that can reach the port — the `127.0.0.1` bind, tailnet ACL,
+  and cross-origin check are the only guards).
+  - The web app **prompts for the token on first load** and stores it in
+    `localStorage`. It's sent as an `Authorization: Bearer` header (and a WS
+    subprotocol) — **never placed in the URL** (URLs leak via history, server
+    logs, and referrer headers). A `401` returns you to the prompt.
+  - **Set or rotate**: write the token to `~/.claude-control/token`, then
+    restart — `launchctl kickstart -k gui/$(id -u)/com.ernest.claude-control`
+    (launchd service), or just re-run `npm start` / `claude-control`. Each
+    browser re-prompts once. `bin/install-service.sh` reads the same file.
 - Uploads are written `0600` under the uploads dir and swept after a TTL.
 
 ---

package/bin/install-service.sh

@@ -36,7 +36,9 @@ SVC_PATH="$TMUX_DIR:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sb
 # launchd gives a LaunchAgent a different $TMPDIR than the login session, so the
 # bundled tmux can't find the running server's socket (-> 0 sessions). Pin
 # TMUX_TMPDIR to where the socket actually lives.
-TMUX_TMPDIR_VAL="$("$TMUX_BIN" display-message -p '#{socket_path}' 2>/dev/null | sed -E 's#/tmux-[0-9]+/[^/]+$##')"
+# `|| true`: with no tmux server running, display-message fails and (under
+# pipefail + set -e) would abort the whole install. Tolerate it and fall back.
+TMUX_TMPDIR_VAL="$("$TMUX_BIN" display-message -p '#{socket_path}' 2>/dev/null | sed -E 's#/tmux-[0-9]+/[^/]+$##' || true)"
 if [ -z "$TMUX_TMPDIR_VAL" ]; then
   for d in /private/tmp /tmp "${TMPDIR:-}"; do
     [ -n "$d" ] && [ -S "$d/tmux-$(id -u)/default" ] && { TMUX_TMPDIR_VAL="$d"; break; }
@@ -86,12 +88,18 @@ PLIST
 launchctl unload "$PLIST" 2>/dev/null || true
 launchctl load "$PLIST"
 
-# Expose over Tailscale (tailnet-only HTTPS). Harmless if already configured.
-if command -v tailscale >/dev/null 2>&1; then
-  tailscale serve --bg --https=443 "localhost:$PORT" >/dev/null 2>&1 || true
+# Expose over Tailscale (tailnet-only HTTPS). Resolve the CLI from PATH, else the
+# macOS app binary (Tailscale.app doesn't put `tailscale` on PATH by default).
+TS="$(command -v tailscale 2>/dev/null || true)"
+[ -z "$TS" ] && [ -x /Applications/Tailscale.app/Contents/MacOS/Tailscale ] && TS=/Applications/Tailscale.app/Contents/MacOS/Tailscale
+if [ -n "$TS" ]; then
+  "$TS" serve --bg --https=443 "localhost:$PORT" >/dev/null 2>&1 || true
 fi
 
-HOSTDNS="$(tailscale status --json 2>/dev/null | node -e 'let d="";process.stdin.on("data",c=>d+=c).on("end",()=>{try{process.stdout.write((JSON.parse(d).Self?.DNSName||"").replace(/\.$/,""))}catch{}})' 2>/dev/null || true)"
+HOSTDNS=""
+if [ -n "$TS" ]; then
+  HOSTDNS="$("$TS" status --json 2>/dev/null | node -e 'let d="";process.stdin.on("data",c=>d+=c).on("end",()=>{try{process.stdout.write((JSON.parse(d).Self?.DNSName||"").replace(/\.$/,""))}catch{}})' 2>/dev/null || true)"
+fi
 
 BASE="$([ -n "$HOSTDNS" ] && echo "https://$HOSTDNS/" || echo "http://127.0.0.1:$PORT/")"
 echo ""

package/lib/terminal.js

@@ -19,10 +19,22 @@
 
 import { spawn } from 'node:child_process';
 import net from 'node:net';
+import fs from 'node:fs';
 
 import * as tmux from './tmux.js';
 
-const TTYD_BIN = process.env.CLAUDE_CONTROL_TTYD || '/opt/homebrew/bin/ttyd';
+// Resolve the ttyd binary robustly instead of hardcoding a Homebrew-arm64 path
+// (which ENOENTs on Intel macOS /usr/local, Linux, or custom installs): honor
+// CLAUDE_CONTROL_TTYD, then probe common locations, else fall back to PATH.
+function resolveTtyd() {
+  if (process.env.CLAUDE_CONTROL_TTYD) return process.env.CLAUDE_CONTROL_TTYD;
+  for (const p of ['/opt/homebrew/bin/ttyd', '/usr/local/bin/ttyd', '/usr/bin/ttyd']) {
+    try { fs.accessSync(p, fs.constants.X_OK); return p; } catch { /* next */ }
+  }
+  return 'ttyd'; // last resort: let the spawn PATH resolve it
+}
+
+const TTYD_BIN = resolveTtyd();
 
 // Reap a ttyd that has had zero clients for this long. A short grace absorbs
 // page reloads / iframe re-mounts without thrashing the process.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@idl3/claude-control",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "type": "module",
   "description": "Local web UI to watch and drive your Claude Code sessions running in tmux — live transcripts, reply, answer AskUserQuestion, attach files, from a browser or phone.",
   "keywords": [