@mindexec/cli 0.2.44 → 0.2.46

package/codex-runtime.js

@@ -1,5 +1,6 @@
 import { promises as fs, readFileSync } from 'fs';
 import path from 'path';
+import os from 'os';
 import { exec, spawn } from 'child_process';
 import { promisify } from 'util';
 import crypto from 'crypto';
@@ -36,6 +37,7 @@ const DEFAULT_TIMEOUT_MS = 8 * 60 * 1000;
 const MAX_LOG_CHARS = 4000;
 const MAX_EVENT_LOG = 120;
 const TEMP_DIR = '.ai/codex';
+const CODEX_CONFIG_PATH = path.join(os.homedir(), '.codex', 'config.toml');
 
 let cachedSdkModule = null;
 let cachedSdkLoadError = null;
@@ -88,6 +90,75 @@ function normalizeProviderKind(value) {
     return '';
 }
 
+function isEnabledEnv(value) {
+    return /^(1|true|yes|on)$/i.test(String(value || '').trim());
+}
+
+function unquoteTomlKey(value) {
+    const text = String(value || '').trim();
+    if (text.length >= 2 && ((text.startsWith('"') && text.endsWith('"')) || (text.startsWith("'") && text.endsWith("'")))) {
+        return text.slice(1, -1).replace(/\\(["\\])/g, '$1').trim();
+    }
+
+    return text;
+}
+
+function readConfiguredMcpServerNames() {
+    if (isEnabledEnv(process.env.MINDEXEC_CODEX_INHERIT_MCP)) {
+        return [];
+    }
+
+    const names = new Set();
+    try {
+        const content = readFileSync(CODEX_CONFIG_PATH, 'utf8');
+        for (const rawLine of content.split(/\r?\n/)) {
+            const line = rawLine.trim();
+            const match = line.match(/^\[mcp_servers\.((?:"(?:[^"\\]|\\.)+"|'(?:[^'\\]|\\.)+'|[^\]\s]+))\]$/);
+            if (!match) {
+                continue;
+            }
+
+            const name = unquoteTomlKey(match[1]);
+            if (/^[A-Za-z0-9_-]+$/.test(name)) {
+                names.add(name);
+            }
+        }
+    } catch {
+        // Missing Codex config is fine; SDK auth still reports its own error if login is required.
+    }
+
+    for (const name of String(process.env.MINDEXEC_CODEX_DISABLED_MCP_SERVERS || 'cloudflare,supabase')
+        .split(',')
+        .map(item => item.trim())
+        .filter(Boolean)) {
+        if (/^[A-Za-z0-9_-]+$/.test(name)) {
+            names.add(name);
+        }
+    }
+
+    return Array.from(names).sort();
+}
+
+function buildCodexSdkConfigOverrides() {
+    const mcpServerNames = readConfiguredMcpServerNames();
+    if (mcpServerNames.length === 0) {
+        return {};
+    }
+
+    const mcpServers = {};
+    for (const name of mcpServerNames) {
+        mcpServers[name] = { enabled: false };
+    }
+
+    return { mcp_servers: mcpServers };
+}
+
+function appendCodexIsolationConfigArgs(args) {
+    for (const name of readConfiguredMcpServerNames()) {
+        args.push('--config', `mcp_servers.${name}.enabled=false`);
+    }
+}
+
 function normalizeReasoningEffort(value) {
     const normalized = String(value || '').trim().toLowerCase();
     return ['minimal', 'low', 'medium', 'high', 'xhigh'].includes(normalized)
@@ -491,7 +562,7 @@ export function createCodexRuntime(options) {
 
         if (providerKind === PROVIDER_KIND.typeScriptSdk) {
             const sdk = await loadCodexSdk();
-            const codex = new sdk.Codex();
+            const codex = new sdk.Codex({ config: buildCodexSdkConfigOverrides() });
             const thread = codex.startThread(threadOptions);
             const localThreadId = `local_${crypto.randomUUID()}`;
             threads.set(localThreadId, {
@@ -553,7 +624,7 @@ export function createCodexRuntime(options) {
         }
 
         const sdk = await loadCodexSdk();
-        const codex = new sdk.Codex();
+        const codex = new sdk.Codex({ config: buildCodexSdkConfigOverrides() });
         const officialId = requestedThreadId && !requestedThreadId.startsWith('local_')
             ? requestedThreadId
             : '';
@@ -708,6 +779,7 @@ export function createCodexRuntime(options) {
             '--config',
             `model_reasoning_effort=${threadOptions.modelReasoningEffort}`
         ];
+        appendCodexIsolationConfigArgs(args);
 
         if (threadOptions.model) {
             args.push('-m', threadOptions.model);
@@ -863,7 +935,7 @@ export function createCodexRuntime(options) {
             const workingDirectory = await resolveWorkingDirectory(body.workingDir || body.workingDirectory || '');
             const threadOptions = buildThreadOptions(body, workingDirectory);
             const sdk = await loadCodexSdk();
-            const codex = new sdk.Codex();
+            const codex = new sdk.Codex({ config: buildCodexSdkConfigOverrides() });
             const thread = codex.resumeThread(threadId, threadOptions);
             threads.set(threadId, {
                 providerKind,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mindexec/cli",
-  "version": "0.2.44",
+  "version": "0.2.46",
   "description": "MindExec local runtime and bridge CLI",
   "main": "server.js",
   "type": "module",

package/remote-hub.js

@@ -19,6 +19,7 @@ const REMOTE_PROTOCOL_VERSION = 1;
 const MAX_SYNTHETIC_DEVICES = 1000;
 const DEFAULT_HOST_TARGET_LEASE_MS = 30000;
 const SYNTHETIC_FRAME_DATA_URL = 'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAIAAAABCAYAAAD0In+KAAAADElEQVR42mP8z8AAAAMBAQDJ/pLvAAAAAElFTkSuQmCC';
+const SYNTHETIC_FRAME_PAYLOAD = Buffer.from(SYNTHETIC_FRAME_DATA_URL.split(',')[1], 'base64');
 
 function isEnabledValue(value, fallback = true) {
     if (value === undefined || value === null || value === '') {
@@ -122,7 +123,52 @@ function parseJsonLine(line) {
     return JSON.parse(text);
 }
 
-function serializeDevice(device) {
+function createFrameAccessToken() {
+    return crypto.randomBytes(18).toString('base64url');
+}
+
+function buildRemoteFramePath(deviceId, frameKind, frame) {
+    const token = safeString(frame?.accessToken, 128);
+    const frameSeq = Number(frame?.frameSeq);
+    if (!deviceId || !token || !Number.isFinite(frameSeq)) {
+        return '';
+    }
+
+    const endpoint = frameKind === 'thumbnail' ? 'thumbnail' : 'live/frame';
+    const params = new URLSearchParams({
+        format: 'binary',
+        seq: String(Math.floor(frameSeq)),
+        token
+    });
+    return `/api/remote/devices/${encodeURIComponent(deviceId)}/${endpoint}?${params.toString()}`;
+}
+
+function serializeRemoteFrame(frame, deviceId, frameKind, options = {}) {
+    if (!frame) {
+        return null;
+    }
+
+    const {
+        payload,
+        accessToken,
+        dataUrl,
+        ...publicFrame
+    } = frame;
+
+    const framePath = buildRemoteFramePath(deviceId, frameKind, frame);
+    const serialized = {
+        ...publicFrame,
+        framePath,
+        frameUrl: framePath
+    };
+    if (options.includeDataUrl !== false) {
+        serialized.dataUrl = dataUrl;
+    }
+
+    return serialized;
+}
+
+function serializeDevice(device, options = {}) {
     if (!device) {
         return null;
     }
@@ -145,8 +191,8 @@ function serializeDevice(device) {
         lastDisconnectReason: device.lastDisconnectReason,
         remoteAddress: device.remoteAddress,
         remotePort: device.remotePort,
-        latestThumbnail: device.latestThumbnail ? { ...device.latestThumbnail } : null,
-        latestLiveFrame: device.latestLiveFrame ? { ...device.latestLiveFrame } : null,
+        latestThumbnail: serializeRemoteFrame(device.latestThumbnail, device.deviceId, 'thumbnail', options),
+        latestLiveFrame: serializeRemoteFrame(device.latestLiveFrame, device.deviceId, 'live', options),
         activeLiveStream: device.activeLiveStream ? { ...device.activeLiveStream } : null,
         latestTask: device.latestTask ? { ...device.latestTask } : null,
         synthetic: device.synthetic === true,
@@ -376,9 +422,12 @@ export function createRemoteHub(options = {}) {
         };
     }
 
-    function listDevices() {
+    function listDevices(options = {}) {
+        const serializeOptions = {
+            includeDataUrl: options.includeDataUrl !== false
+        };
         return [...devices.values()]
-            .map(serializeDevice)
+            .map(device => serializeDevice(device, serializeOptions))
             .filter(Boolean)
             .sort((a, b) => {
                 const nameCompare = String(a.deviceName || '').localeCompare(String(b.deviceName || ''));
@@ -427,7 +476,10 @@ export function createRemoteHub(options = {}) {
             capturedAt: now,
             receivedAt: now,
             byteLength: 68,
-            dataUrl: SYNTHETIC_FRAME_DATA_URL
+            transport: 'synthetic',
+            dataUrl: SYNTHETIC_FRAME_DATA_URL,
+            payload: SYNTHETIC_FRAME_PAYLOAD,
+            accessToken: createFrameAccessToken()
         };
     }
 
@@ -1095,6 +1147,19 @@ export function createRemoteHub(options = {}) {
             : `data:${mimeType};base64,${frameData}`;
     }
 
+    function buildFramePayloadBuffer(framePayload, frameData) {
+        if (Buffer.isBuffer(framePayload)) {
+            return Buffer.from(framePayload);
+        }
+
+        const raw = String(frameData || '');
+        const commaIndex = raw.indexOf(',');
+        const base64 = raw.startsWith('data:') && commaIndex >= 0
+            ? raw.slice(commaIndex + 1)
+            : raw;
+        return Buffer.from(base64, 'base64');
+    }
+
     function applyThumbnailFrame(device, message, framePayload, transport = 'json-base64') {
         const frameData = Buffer.isBuffer(framePayload)
             ? ''
@@ -1115,6 +1180,7 @@ export function createRemoteHub(options = {}) {
 
         const mimeType = safeString(message.mimeType || message.format || 'image/jpeg', 80) || 'image/jpeg';
         const capturedAt = safeString(message.capturedAt, 80) || device.lastSeenAt;
+        const payload = buildFramePayloadBuffer(framePayload, frameData);
         device.latestThumbnail = {
             streamId: safeString(message.streamId, 128) || 'thumbnail',
             frameSeq,
@@ -1127,7 +1193,9 @@ export function createRemoteHub(options = {}) {
             receivedAt: device.lastSeenAt,
             byteLength,
             transport,
-            dataUrl: buildFrameDataUrl(framePayload, frameData, mimeType)
+            dataUrl: buildFrameDataUrl(framePayload, frameData, mimeType),
+            payload,
+            accessToken: createFrameAccessToken()
         };
         device.counters.thumbnailFramesReceived += 1;
         emitRemoteEvent('RemoteFrameReceived', device, {
@@ -1173,6 +1241,7 @@ export function createRemoteHub(options = {}) {
 
         const mimeType = safeString(message.mimeType || message.format || 'image/jpeg', 80) || 'image/jpeg';
         const capturedAt = safeString(message.capturedAt, 80) || device.lastSeenAt;
+        const payload = buildFramePayloadBuffer(framePayload, frameData);
         device.latestLiveFrame = {
             streamId,
             frameSeq,
@@ -1187,7 +1256,9 @@ export function createRemoteHub(options = {}) {
             receivedAt: device.lastSeenAt,
             byteLength,
             transport,
-            dataUrl: buildFrameDataUrl(framePayload, frameData, mimeType)
+            dataUrl: buildFrameDataUrl(framePayload, frameData, mimeType),
+            payload,
+            accessToken: createFrameAccessToken()
         };
         device.activeLiveStream.lastFrameAt = device.lastSeenAt;
         device.activeLiveStream.lastFrameSeq = frameSeq;
@@ -1904,14 +1975,49 @@ export function createRemoteHub(options = {}) {
         return { ok: true, commandId, streamId };
     }
 
-    function getDeviceLiveFrame(deviceId) {
+    function getDeviceLiveFrame(deviceId, options = {}) {
         const device = devices.get(String(deviceId || ''));
-        return device?.latestLiveFrame ? { ...device.latestLiveFrame } : null;
+        return serializeRemoteFrame(device?.latestLiveFrame, device?.deviceId, 'live', {
+            includeDataUrl: options.includeDataUrl !== false
+        });
+    }
+
+    function getDeviceThumbnail(deviceId, options = {}) {
+        const device = devices.get(String(deviceId || ''));
+        return serializeRemoteFrame(device?.latestThumbnail, device?.deviceId, 'thumbnail', {
+            includeDataUrl: options.includeDataUrl !== false
+        });
     }
 
-    function getDeviceThumbnail(deviceId) {
+    function getFramePayload(deviceId, frameKind, options = {}) {
         const device = devices.get(String(deviceId || ''));
-        return device?.latestThumbnail ? { ...device.latestThumbnail } : null;
+        const frame = frameKind === 'thumbnail'
+            ? device?.latestThumbnail
+            : device?.latestLiveFrame;
+        if (!frame || !Buffer.isBuffer(frame.payload)) {
+            return null;
+        }
+
+        const requestedSeq = Number(options.frameSeq);
+        if (Number.isFinite(requestedSeq) && Math.floor(requestedSeq) !== frame.frameSeq) {
+            return null;
+        }
+
+        const token = safeString(options.token, 128);
+        if (token && !timingSafeStringEqual(token, frame.accessToken)) {
+            return null;
+        }
+
+        if (options.requireToken === true && !token) {
+            return null;
+        }
+
+        return {
+            frame: serializeRemoteFrame(frame, device.deviceId, frameKind, { includeDataUrl: false }),
+            payload: frame.payload,
+            mimeType: safeString(frame.mimeType || frame.format || 'application/octet-stream', 120) || 'application/octet-stream',
+            byteLength: frame.payload.length
+        };
     }
 
     return {
@@ -1931,6 +2037,7 @@ export function createRemoteHub(options = {}) {
         stopLiveStream,
         getDeviceLiveFrame,
         getDeviceThumbnail,
+        getFramePayload,
         seedSyntheticFleet,
         clearSyntheticFleet,
         getPairToken: () => pairToken

package/scripts/remote-http-smoke.mjs

@@ -54,6 +54,26 @@ async function fetchJson(url, options = {}) {
     };
 }
 
+async function fetchBinary(url, options = {}) {
+    const response = await fetch(url, {
+        ...options,
+        headers: {
+            Accept: 'image/png,image/jpeg,image/webp,image/*',
+            ...(options.token ? { 'X-Bridge-Token': options.token } : {}),
+            ...(options.headers || {})
+        }
+    });
+
+    return {
+        status: response.status,
+        ok: response.ok,
+        contentType: response.headers.get('content-type') || '',
+        frameSeq: response.headers.get('x-mindexec-remote-frame-seq') || '',
+        streamId: response.headers.get('x-mindexec-remote-stream-id') || '',
+        payload: Buffer.from(await response.arrayBuffer())
+    };
+}
+
 async function waitForBridge(baseUrl, getFailureDetails, bridgeToken = BRIDGE_TOKEN) {
     const startedAt = Date.now();
     while (Date.now() - startedAt < 30000) {
@@ -339,6 +359,23 @@ async function runSyntheticEnabledSmoke() {
     assert.equal(thumbnail.ok, true, JSON.stringify(thumbnail.payload));
     assert.equal(thumbnail.payload?.thumbnail?.streamId, 'http-smoke-thumb');
     assert.ok(String(thumbnail.payload?.thumbnail?.dataUrl || '').startsWith('data:image/png;base64,'));
+    assert.ok(String(thumbnail.payload?.thumbnail?.framePath || '').includes(`/api/remote/devices/${encodeURIComponent(thumbnailTarget.deviceId)}/thumbnail?`));
+    assert.equal(thumbnail.payload?.thumbnail?.frameUrl, thumbnail.payload?.thumbnail?.framePath);
+
+    const thumbnailBinary = await fetchBinary(`${baseUrl}${thumbnail.payload.thumbnail.framePath}`);
+    assert.equal(thumbnailBinary.ok, true, `${thumbnailBinary.status} ${thumbnailBinary.contentType}`);
+    assert.equal(thumbnailBinary.contentType, 'image/png');
+    assert.equal(thumbnailBinary.streamId, 'http-smoke-thumb');
+    assert.ok(thumbnailBinary.payload.length > 0);
+
+    const badThumbnailBinary = await fetchBinary(`${baseUrl}${thumbnail.payload.thumbnail.framePath.replace(/token=[^&]+/, 'token=wrong-token')}`);
+    assert.equal(badThumbnailBinary.status, 401);
+
+    const devicesUrlOnlyResult = await fetchJson(`${baseUrl}/api/remote/devices?frameData=url`, { token: BRIDGE_TOKEN });
+    assert.equal(devicesUrlOnlyResult.ok, true, JSON.stringify(devicesUrlOnlyResult.payload));
+    const urlOnlyThumbnailDevice = devicesUrlOnlyResult.payload?.devices?.find(device => device.deviceId === thumbnailTarget.deviceId);
+    assert.ok(urlOnlyThumbnailDevice?.latestThumbnail?.framePath);
+    assert.ok(!('dataUrl' in urlOnlyThumbnailDevice.latestThumbnail));
 
     const liveTarget = devicesResult.payload.devices.find(device =>
         device.connected && device.capabilities?.liveStream);
@@ -364,6 +401,23 @@ async function runSyntheticEnabledSmoke() {
     assert.equal(liveFrame.payload?.frame?.streamId, 'http-smoke-live');
     assert.equal(liveFrame.payload?.frame?.mode, 'remote-fast');
     assert.equal(liveFrame.payload?.frame?.fps, 20);
+    assert.ok(String(liveFrame.payload?.frame?.dataUrl || '').startsWith('data:image/png;base64,'));
+    assert.ok(String(liveFrame.payload?.frame?.framePath || '').includes(`/api/remote/devices/${encodeURIComponent(liveTarget.deviceId)}/live/frame?`));
+
+    const liveBinary = await fetchBinary(`${baseUrl}${liveFrame.payload.frame.framePath}`);
+    assert.equal(liveBinary.ok, true, `${liveBinary.status} ${liveBinary.contentType}`);
+    assert.equal(liveBinary.contentType, 'image/png');
+    assert.equal(liveBinary.streamId, 'http-smoke-live');
+    assert.ok(liveBinary.payload.length > 0);
+
+    const liveBinaryWithBridgeToken = await fetchBinary(
+        `${baseUrl}/api/remote/devices/${encodeURIComponent(liveTarget.deviceId)}/live/frame?format=binary`,
+        { token: BRIDGE_TOKEN });
+    assert.equal(liveBinaryWithBridgeToken.ok, true, `${liveBinaryWithBridgeToken.status} ${liveBinaryWithBridgeToken.contentType}`);
+    assert.equal(liveBinaryWithBridgeToken.contentType, 'image/png');
+
+    const badLiveSeq = await fetchBinary(`${baseUrl}${liveFrame.payload.frame.framePath.replace(/seq=\d+/, 'seq=999999')}`);
+    assert.equal(badLiveSeq.status, 401);
 
     const liveStop = await fetchJson(`${baseUrl}/api/remote/devices/${encodeURIComponent(liveTarget.deviceId)}/live/stop`, {
         method: 'POST',

package/scripts/remote-hub-smoke.mjs

@@ -152,6 +152,27 @@ try {
     assert.equal(binaryThumbnailDevice.latestThumbnail.transport, 'binary');
     assert.equal(binaryThumbnailDevice.latestThumbnail.byteLength, smokePngFrame.length);
     assert.equal(binaryThumbnailDevice.counters.thumbnailFramesReceived, 2);
+    const serializedBinaryThumbnail = hub.getDeviceThumbnail('smoke-device', { includeDataUrl: false });
+    assert.equal(serializedBinaryThumbnail.streamId, 'smoke-thumb-binary');
+    assert.equal(serializedBinaryThumbnail.frameSeq, 4);
+    assert.ok(serializedBinaryThumbnail.framePath.includes('/api/remote/devices/smoke-device/thumbnail?'));
+    assert.ok(!('dataUrl' in serializedBinaryThumbnail));
+    assert.ok(!('payload' in serializedBinaryThumbnail));
+    assert.ok(!('accessToken' in serializedBinaryThumbnail));
+    const serializedThumbnailUrl = new URL(serializedBinaryThumbnail.framePath, 'http://127.0.0.1');
+    const thumbnailPayload = hub.getFramePayload('smoke-device', 'thumbnail', {
+        token: serializedThumbnailUrl.searchParams.get('token'),
+        frameSeq: serializedThumbnailUrl.searchParams.get('seq'),
+        requireToken: true
+    });
+    assert.equal(thumbnailPayload?.mimeType, 'image/png');
+    assert.equal(thumbnailPayload?.byteLength, smokePngFrame.length);
+    assert.equal(Buffer.compare(thumbnailPayload.payload, smokePngFrame), 0);
+    assert.equal(hub.getFramePayload('smoke-device', 'thumbnail', {
+        token: 'wrong-token',
+        frameSeq: 4,
+        requireToken: true
+    }), null);
 
     const liveCommand = hub.startLiveStream('smoke-device', {
         streamId: 'smoke-live',
@@ -204,6 +225,27 @@ try {
     assert.equal(binaryLiveDevice.latestLiveFrame.transport, 'binary');
     assert.equal(binaryLiveDevice.latestLiveFrame.byteLength, smokePngFrame.length);
     assert.equal(binaryLiveDevice.counters.liveFramesReceived, 2);
+    const serializedBinaryLiveFrame = hub.getDeviceLiveFrame('smoke-device', { includeDataUrl: false });
+    assert.equal(serializedBinaryLiveFrame.streamId, 'smoke-live');
+    assert.equal(serializedBinaryLiveFrame.frameSeq, 5);
+    assert.ok(serializedBinaryLiveFrame.framePath.includes('/api/remote/devices/smoke-device/live/frame?'));
+    assert.ok(!('dataUrl' in serializedBinaryLiveFrame));
+    assert.ok(!('payload' in serializedBinaryLiveFrame));
+    assert.ok(!('accessToken' in serializedBinaryLiveFrame));
+    const serializedLiveUrl = new URL(serializedBinaryLiveFrame.framePath, 'http://127.0.0.1');
+    const livePayload = hub.getFramePayload('smoke-device', 'live', {
+        token: serializedLiveUrl.searchParams.get('token'),
+        frameSeq: serializedLiveUrl.searchParams.get('seq'),
+        requireToken: true
+    });
+    assert.equal(livePayload?.mimeType, 'image/png');
+    assert.equal(livePayload?.byteLength, smokePngFrame.length);
+    assert.equal(Buffer.compare(livePayload.payload, smokePngFrame), 0);
+    assert.equal(hub.getFramePayload('smoke-device', 'live', {
+        token: serializedLiveUrl.searchParams.get('token'),
+        frameSeq: 4,
+        requireToken: true
+    }), null);
 
     const staleFrameBefore = liveDevice.counters.liveFramesDropped;
     writeJsonLine(socket, {

package/server.js

@@ -1756,20 +1756,69 @@ const PROTECTED_BRIDGE_ROUTES = [
     { method: 'POST', exact: '/api/tool/trace' }
 ];
 
-function getBridgeTokenFromRequest(req) {
-    const headerToken = String(req.get(bridgeTokenHeader) || '').trim();
-    if (headerToken) {
-        return headerToken;
-    }
+function getBridgeTokenFromRequest(req) {
+    const headerToken = String(req.get(bridgeTokenHeader) || '').trim();
+    if (headerToken) {
+        return headerToken;
+    }
 
     const authorization = String(req.get('authorization') || '').trim();
-    const bearerMatch = authorization.match(/^Bearer\s+(.+)$/i);
-    return bearerMatch ? bearerMatch[1].trim() : '';
-}
-
-function isProtectedBridgeRoute(method, requestPath) {
-    const normalizedMethod = String(method || '').toUpperCase();
-    const normalizedPath = String(requestPath || '').toLowerCase();
+    const bearerMatch = authorization.match(/^Bearer\s+(.+)$/i);
+    return bearerMatch ? bearerMatch[1].trim() : '';
+}
+
+function isBridgeTokenAuthorized(req) {
+    return !bridgeAuthRequired || getBridgeTokenFromRequest(req) === bridgeToken;
+}
+
+function wantsRemoteFrameBinaryRequest(req) {
+    const format = String(req.query?.format || req.query?.frameData || '').trim().toLowerCase();
+    if (format === 'binary' || format === 'image' || format === 'raw') {
+        return true;
+    }
+
+    const accept = String(req.get('accept') || '').toLowerCase();
+    return /\bimage\//.test(accept) && !accept.includes('application/json');
+}
+
+function getRemoteFrameTokenRequest(req) {
+    if (String(req.method || '').toUpperCase() !== 'GET' || !wantsRemoteFrameBinaryRequest(req)) {
+        return null;
+    }
+
+    const match = String(req.path || '').match(/^\/api\/remote\/devices\/([^/]+)\/(thumbnail|live\/frame)$/i);
+    if (!match) {
+        return null;
+    }
+
+    try {
+        return {
+            deviceId: decodeURIComponent(match[1]),
+            frameKind: match[2].toLowerCase() === 'thumbnail' ? 'thumbnail' : 'live',
+            token: String(req.query?.token || '').trim(),
+            frameSeq: req.query?.seq
+        };
+    } catch {
+        return null;
+    }
+}
+
+function isAuthorizedRemoteFrameTokenRequest(req) {
+    const frameRequest = getRemoteFrameTokenRequest(req);
+    if (!frameRequest?.token) {
+        return false;
+    }
+
+    return !!remoteHub.getFramePayload(frameRequest.deviceId, frameRequest.frameKind, {
+        token: frameRequest.token,
+        frameSeq: frameRequest.frameSeq,
+        requireToken: true
+    });
+}
+
+function isProtectedBridgeRoute(method, requestPath) {
+    const normalizedMethod = String(method || '').toUpperCase();
+    const normalizedPath = String(requestPath || '').toLowerCase();
 
     return PROTECTED_BRIDGE_ROUTES.some((rule) => {
         if (rule.method && rule.method !== normalizedMethod) {
@@ -1786,13 +1835,13 @@ function isProtectedBridgeRoute(method, requestPath) {
 
         return false;
     });
-}
-
-function requireBridgeToken(req, res, next) {
-    if (!bridgeAuthRequired || getBridgeTokenFromRequest(req) === bridgeToken) {
-        next();
-        return;
-    }
+}
+
+function requireBridgeToken(req, res, next) {
+    if (isBridgeTokenAuthorized(req) || isAuthorizedRemoteFrameTokenRequest(req)) {
+        next();
+        return;
+    }
 
     res.status(401).json({
         error: 'Bridge token required',
@@ -6967,7 +7016,8 @@ app.get('/api/remote/status', (req, res) => {
 
 app.get('/api/remote/devices', (req, res) => {
     res.setHeader('Cache-Control', 'no-store');
-    const devices = remoteHub.listDevices();
+    const includeDataUrl = !/^(0|false|no|url|metadata)$/i.test(String(req.query?.includeDataUrl ?? req.query?.frameData ?? ''));
+    const devices = remoteHub.listDevices({ includeDataUrl });
     res.json({
         total: devices.length,
         pagination: 'none',
@@ -7058,7 +7108,7 @@ app.post('/api/remote/tasks', (req, res) => {
         : [];
     const allConnected = req.body?.allConnected !== false;
     const approvalLevel = req.body?.approvalLevel === 'ai-assist' ? 'ai-assist' : 'task-only';
-    const devices = remoteHub.listDevices();
+    const devices = remoteHub.listDevices({ includeDataUrl: false });
     const targetIds = requestedDeviceIds.length > 0
         ? requestedDeviceIds
         : (allConnected
@@ -7098,9 +7148,44 @@ function isRemoteCapabilityEnabled(device, key) {
     return /^(1|true|yes|on)$/i.test(String(value || '').trim());
 }
 
+function includeRemoteFrameDataUrl(req) {
+    return !/^(0|false|no|url|metadata)$/i.test(String(req.query?.includeDataUrl ?? req.query?.frameData ?? ''));
+}
+
+function sendRemoteFrameBinary(req, res, frameKind) {
+    const bridgeAuthorized = isBridgeTokenAuthorized(req);
+    const payload = remoteHub.getFramePayload(req.params.deviceId, frameKind, {
+        token: bridgeAuthorized ? '' : req.query?.token,
+        frameSeq: req.query?.seq,
+        requireToken: !bridgeAuthorized
+    });
+    if (!payload) {
+        res.status(bridgeAuthorized ? 404 : 403).json({
+            ok: false,
+            error: bridgeAuthorized ? 'frame-payload-not-available' : 'invalid-frame-token'
+        });
+        return true;
+    }
+
+    res.setHeader('Cache-Control', 'no-store');
+    res.setHeader('Content-Type', payload.mimeType);
+    res.setHeader('Content-Length', String(payload.byteLength));
+    res.setHeader('X-MindExec-Remote-Frame-Seq', String(payload.frame?.frameSeq || ''));
+    res.setHeader('X-MindExec-Remote-Stream-Id', String(payload.frame?.streamId || ''));
+    res.send(payload.payload);
+    return true;
+}
+
 app.get('/api/remote/devices/:deviceId/thumbnail', (req, res) => {
     res.setHeader('Cache-Control', 'no-store');
-    const thumbnail = remoteHub.getDeviceThumbnail(req.params.deviceId);
+    if (wantsRemoteFrameBinaryRequest(req)) {
+        sendRemoteFrameBinary(req, res, 'thumbnail');
+        return;
+    }
+
+    const thumbnail = remoteHub.getDeviceThumbnail(req.params.deviceId, {
+        includeDataUrl: includeRemoteFrameDataUrl(req)
+    });
     if (!thumbnail) {
         res.status(404).json({ ok: false, error: 'thumbnail-not-available' });
         return;
@@ -7120,7 +7205,14 @@ app.post('/api/remote/devices/:deviceId/thumbnail/request', (req, res) => {
 
 app.get('/api/remote/devices/:deviceId/live/frame', (req, res) => {
     res.setHeader('Cache-Control', 'no-store');
-    const frame = remoteHub.getDeviceLiveFrame(req.params.deviceId);
+    if (wantsRemoteFrameBinaryRequest(req)) {
+        sendRemoteFrameBinary(req, res, 'live');
+        return;
+    }
+
+    const frame = remoteHub.getDeviceLiveFrame(req.params.deviceId, {
+        includeDataUrl: includeRemoteFrameDataUrl(req)
+    });
     if (!frame) {
         res.status(404).json({ ok: false, error: 'live-frame-not-available' });
         return;