npm - cli-tunnel - Versions diffs - 1.1.0 → 1.2.0-beta.2 - Mend

cli-tunnel 1.1.0 → 1.2.0-beta.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -77,12 +77,55 @@ cli-tunnel copilot
 ## Security
-Tunnels are **private by default** — only the Microsoft/GitHub account that created the tunnel can connect. Auth is enforced at Microsoft's relay layer before traffic reaches your machine.
+cli-tunnel uses a layered security model:
-- No inbound ports opened
-- No anonymous access
-- No central server
-- TLS encryption via devtunnel relay
+**Network layer** — Microsoft Dev Tunnels are private by default. Only the Microsoft or GitHub account that created the tunnel can connect. TLS encryption is handled by Microsoft's relay infrastructure. No inbound ports are opened on your machine.
+**Session authentication** — Each session generates a unique token (cryptographic random UUID). All HTTP API and WebSocket connections require this token. The token is embedded in the URL you receive at startup — anyone without it cannot connect.
+**WebSocket auth** — cli-tunnel uses a ticket-based handshake: the browser exchanges the session token for a single-use, short-lived ticket (60 seconds) to establish the WebSocket connection. This avoids keeping the long-lived token in WebSocket upgrade logs.
+**Input validation** — Only structured JSON messages are accepted over WebSocket. Raw text is rejected and logged. Terminal resize commands are bounds-checked to prevent abuse.
+**Environment isolation** — The child process receives a filtered set of environment variables (an allowlist of ~40 safe variables like PATH, HOME, TERM). Sensitive variables and NODE_OPTIONS are excluded to prevent code injection.
+**Audit logging** — All remote keyboard input is logged to `~/.cli-tunnel/audit/` in JSONL format with timestamps and source addresses. Secrets are automatically redacted from audit entries.
+**Connection limits** — Maximum 5 concurrent WebSocket connections. Sessions expire after 24 hours.
+## Terminal Size Behavior
+cli-tunnel uses a single PTY (pseudo-terminal) shared between your local terminal and all remote viewers. When a phone or tablet connects, the PTY resizes to match the remote device's screen dimensions. This ensures the CLI app renders correctly on the device you're actively using to interact with it.
+Because the PTY can only have one size at a time, the local terminal on your machine will reflect the remote device's dimensions while it's connected. This is by design — cli-tunnel prioritizes the remote viewing experience since the primary use case is controlling your CLI from another device.
+**Tips for the best experience:**
+- Rotate your phone to landscape for a wider terminal
+- Use the key bar (↑↓←→ Tab Enter Esc Ctrl+C) at the bottom for navigation
+- If multiple devices connect, the last one to resize wins
+## FAQ
+**Can multiple devices connect to the same session?**
+Yes, up to 5 devices simultaneously. All viewers see the same terminal output in real time. Input from any device goes to the same CLI session.
+**What happens if my phone disconnects?**
+The CLI session keeps running on your machine. When you reconnect, you'll see live output from that point forward. Use `--replay` to enable history replay so reconnecting devices catch up on what they missed.
+**Does cli-tunnel work with any CLI app?**
+Yes. Any command that runs in a terminal works — copilot, vim, htop, python, ssh, k9s, node, and more. cli-tunnel doesn't interpret the command's output; it streams raw terminal bytes.
+**Is there a central server?**
+No. cli-tunnel runs entirely on your machine. Microsoft Dev Tunnels provides the relay infrastructure, but no third-party server sees your terminal content.
+**What about the anti-phishing page?**
+The first time you open a devtunnel URL, Microsoft shows an interstitial warning page. This is a devtunnel security feature — it confirms you trust the tunnel. You only see it once per tunnel.
+**Does the tool work without devtunnel?**
+Yes. Use `--local` to skip tunnel creation. The terminal is available at `http://127.0.0.1:<port>` on your local network only.
+**What's hub mode?**
+Run `cli-tunnel` with no command to start hub mode — a sessions dashboard that shows all active cli-tunnel sessions on your machine. Tap any online session to connect to it.
 ## How It's Built

package/dist/index.js CHANGED Viewed

@@ -20,8 +20,15 @@ import crypto from 'node:crypto';
 import { execSync, execFileSync, spawn } from 'node:child_process';
 import { fileURLToPath } from 'node:url';
 import http from 'node:http';
+import readline from 'node:readline';
 import { WebSocketServer, WebSocket } from 'ws';
 import os from 'node:os';
+function askUser(question) {
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    return new Promise((resolve) => {
+        rl.question(question, (answer) => { rl.close(); resolve(answer.trim().toLowerCase()); });
+    });
+}
 const BOLD = '\x1b[1m';
 const RESET = '\x1b[0m';
 const DIM = '\x1b[2m';
@@ -29,40 +36,45 @@ const GREEN = '\x1b[32m';
 const YELLOW = '\x1b[33m';
 // ─── Parse args ─────────────────────────────────────────────
 const args = process.argv.slice(2);
-if (args.includes('--help') || args.includes('-h') || args.length === 0) {
+if (args.includes('--help') || args.includes('-h')) {
     console.log(`
 ${BOLD}cli-tunnel${RESET} — Tunnel any CLI app to your phone
 ${BOLD}Usage:${RESET}
   cli-tunnel [options] <command> [args...]
+  cli-tunnel                              # hub mode — sessions dashboard only
 ${BOLD}Options:${RESET}
-  --tunnel           Enable remote access via devtunnel
+  --local            Disable devtunnel (localhost only)
   --port <n>         Bridge port (default: random)
   --name <name>      Session name (shown in dashboard)
+  --replay           Enable replay buffer (off by default)
   --help, -h         Show this help
 ${BOLD}Examples:${RESET}
-  cli-tunnel copilot
-  cli-tunnel --tunnel copilot --yolo
-  cli-tunnel --tunnel copilot --model claude-sonnet-4 --agent squad
-  cli-tunnel --tunnel --name wizard copilot --allow-all
-  cli-tunnel --tunnel python -i
-  cli-tunnel --tunnel htop
+  cli-tunnel copilot --yolo               # tunnel + run copilot
+  cli-tunnel copilot --model claude-sonnet-4 --agent squad
+  cli-tunnel k9s                          # tunnel + run k9s
+  cli-tunnel python -i                    # tunnel + run python
+  cli-tunnel --name wizard copilot        # named session
+  cli-tunnel --local copilot --yolo       # localhost only, no devtunnel
+  cli-tunnel                              # hub: see all active sessions
-Any flags after the command name pass through to the underlying
-app. cli-tunnel's own flags (--tunnel, --port, --name) must come
-before the command.
+Devtunnel is enabled by default. All flags after the command name
+pass through to the underlying app. cli-tunnel's own flags
+(--local, --port, --name) must come before the command.
 `);
     process.exit(0);
 }
-const hasTunnel = args.includes('--tunnel');
+const hasLocal = args.includes('--local');
+const hasTunnel = !hasLocal;
+const hasReplay = args.includes('--replay');
 const portIdx = args.indexOf('--port');
 const port = (portIdx !== -1 && args[portIdx + 1]) ? parseInt(args[portIdx + 1], 10) : 0;
 const nameIdx = args.indexOf('--name');
 const sessionName = (nameIdx !== -1 && args[nameIdx + 1]) ? args[nameIdx + 1] : '';
 // Everything that's not our flags is the command
-const ourFlags = new Set(['--tunnel', '--port', '--name']);
+const ourFlags = new Set(['--local', '--tunnel', '--port', '--name', '--replay']);
 const cmdArgs = [];
 let skip = false;
 for (let i = 0; i < args.length; i++) {
@@ -70,20 +82,18 @@ for (let i = 0; i < args.length; i++) {
         skip = false;
         continue;
     }
-    if (ourFlags.has(args[i]) && args[i] !== '--tunnel') {
+    if (args[i] === '--port' || args[i] === '--name') {
         skip = true;
         continue;
     }
-    if (args[i] === '--tunnel')
+    if (args[i] === '--local' || args[i] === '--tunnel' || args[i] === '--replay')
         continue;
     cmdArgs.push(args[i]);
 }
-if (cmdArgs.length === 0) {
-    console.error('Error: no command specified. Run cli-tunnel --help for usage.');
-    process.exit(1);
-}
-const command = cmdArgs[0];
-const commandArgs = cmdArgs.slice(1);
+// Hub mode — no command, just show sessions dashboard
+const hubMode = cmdArgs.length === 0;
+const command = hubMode ? '' : cmdArgs[0];
+const commandArgs = hubMode ? [] : cmdArgs.slice(1);
 const cwd = process.cwd();
 // ─── Tunnel helpers ─────────────────────────────────────────
 function sanitizeLabel(l) {
@@ -103,18 +113,85 @@ function getGitInfo() {
 }
 // ─── Security: Session token for WebSocket auth ────────────
 const sessionToken = crypto.randomUUID();
+// ─── F-18: Session TTL (24 hours) ──────────────────────────
+const SESSION_TTL = 24 * 60 * 60 * 1000; // 24 hours
+const sessionCreatedAt = Date.now();
+// ─── F-02: One-time ticket store for WebSocket auth ────────
+const tickets = new Map();
+// #30: Ticket GC — clean expired tickets every 30s
+setInterval(() => {
+    const now = Date.now();
+    for (const [id, t] of tickets) {
+        if (t.expires < now)
+            tickets.delete(id);
+    }
+}, 30000);
 // ─── Security: Redact secrets from replay events ────────────
 function redactSecrets(text) {
-    return text.replace(/(?:token|secret|key|password|credential|authorization)[\s:="']+[^\s"']{8,}/gi, '$& [REDACTED]');
+    return text
+        // Generic patterns: key=value, key: value, key="value"
+        .replace(/(?:token|secret|key|password|credential|authorization|api_key|private_key|access_key|connection_string|db_pass|signing)[\s:="']+\S{8,}/gi, '[REDACTED]')
+        // OpenAI keys
+        .replace(/sk-[a-zA-Z0-9]{20,}/g, '[REDACTED]')
+        // GitHub tokens
+        .replace(/gh[ps]_[a-zA-Z0-9]{36,}/g, '[REDACTED]')
+        // AWS keys
+        .replace(/AKIA[A-Z0-9]{16}/g, '[REDACTED]')
+        // Azure connection strings
+        .replace(/DefaultEndpointsProtocol=[^;\s]{20,}/gi, '[REDACTED]')
+        .replace(/AccountKey=[^;\s]{20,}/gi, 'AccountKey=[REDACTED]')
+        // Database URLs
+        .replace(/(postgres|mongodb|mysql|redis):\/\/[^\s"']{10,}/gi, '[REDACTED]')
+        // Bearer tokens in headers
+        .replace(/Bearer\s+[a-zA-Z0-9._-]{20,}/gi, 'Bearer [REDACTED]');
 }
 // ─── Bridge server ──────────────────────────────────────────
 const acpEventLog = [];
 const connections = new Map();
+// #10: Session TTL enforcement — periodically close expired connections
+setInterval(() => {
+    if (Date.now() - sessionCreatedAt > SESSION_TTL) {
+        for (const [id, ws] of connections) {
+            ws.close(1000, 'Session expired');
+            connections.delete(id);
+        }
+    }
+}, 60000);
 const server = http.createServer((req, res) => {
+    // F-18: Session expiry check for API routes
+    if (!hubMode && req.url?.startsWith('/api/') && Date.now() - sessionCreatedAt > SESSION_TTL) {
+        res.writeHead(401, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Session expired' }));
+        return;
+    }
+    // F-02: Ticket endpoint — exchange session token for one-time WS ticket
+    if (req.url === '/api/auth/ticket' && req.method === 'POST') {
+        const auth = req.headers.authorization?.replace('Bearer ', '');
+        if (auth !== sessionToken) {
+            res.writeHead(401);
+            res.end();
+            return;
+        }
+        const ticket = crypto.randomUUID();
+        tickets.set(ticket, { expires: Date.now() + 60000 });
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ ticket, expires: Date.now() + 60000 }));
+        return;
+    }
+    // F-01: Session token check for all API routes (skip in hub mode)
+    if (!hubMode && req.url?.startsWith('/api/')) {
+        const reqUrl = new URL(req.url, `http://${req.headers.host}`);
+        const authToken = req.headers.authorization?.replace('Bearer ', '') || reqUrl.searchParams.get('token');
+        if (authToken !== sessionToken) {
+            res.writeHead(401, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ error: 'Unauthorized' }));
+            return;
+        }
+    }
     // Sessions API
     if (req.url === '/api/sessions' && req.method === 'GET') {
         try {
-            const output = execSync('devtunnel list --labels cli-tunnel --json', { encoding: 'utf-8', timeout: 10000, stdio: ['pipe', 'pipe', 'pipe'] });
+            const output = execFileSync('devtunnel', ['list', '--labels', 'cli-tunnel', '--json'], { encoding: 'utf-8', timeout: 10000, stdio: ['pipe', 'pipe', 'pipe'] });
             const data = JSON.parse(output);
             const sessions = (data.tunnels || []).map((t) => {
                 const labels = t.labels || [];
@@ -163,7 +240,16 @@ const server = http.createServer((req, res) => {
     }
     // Static files
     const uiDir = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '../remote-ui');
-    const decodedUrl = decodeURIComponent(req.url || '/');
+    // #18: Guard against malformed URI encoding
+    let decodedUrl;
+    try {
+        decodedUrl = decodeURIComponent(req.url || '/');
+    }
+    catch {
+        res.writeHead(400);
+        res.end();
+        return;
+    }
     if (decodedUrl.includes('..')) {
         res.writeHead(400);
         res.end();
@@ -175,65 +261,132 @@ const server = http.createServer((req, res) => {
         res.end();
         return;
     }
-    if (!fs.existsSync(filePath))
-        filePath = path.resolve(uiDir, 'index.html');
+    // #2: EISDIR guard — check if path is a directory before createReadStream
+    try {
+        const stat = fs.statSync(filePath);
+        if (stat.isDirectory()) {
+            filePath = path.join(filePath, 'index.html');
+            if (!fs.existsSync(filePath)) {
+                res.writeHead(404);
+                res.end();
+                return;
+            }
+        }
+    }
+    catch {
+        res.writeHead(404);
+        res.end();
+        return;
+    }
     const ext = path.extname(filePath);
     const mimes = { '.html': 'text/html', '.js': 'application/javascript', '.css': 'text/css', '.json': 'application/json' };
     const securityHeaders = {
         'Content-Type': mimes[ext] || 'application/octet-stream',
         'X-Frame-Options': 'DENY',
         'X-Content-Type-Options': 'nosniff',
-        'Content-Security-Policy': "default-src 'self'; script-src 'self' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; connect-src 'self' ws: wss:;",
+        'Content-Security-Policy': "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; connect-src 'self' ws://localhost:* wss://*.devtunnels.ms;",
+        'Referrer-Policy': 'no-referrer',
+        'Cache-Control': 'no-store',
     };
     res.writeHead(200, securityHeaders);
-    fs.createReadStream(filePath).pipe(res);
+    // #8: Handle createReadStream errors
+    const stream = fs.createReadStream(filePath);
+    stream.on('error', () => { if (!res.headersSent) {
+        res.writeHead(500);
+    } res.end(); });
+    stream.pipe(res);
 });
 const wss = new WebSocketServer({
     server,
     maxPayload: 1048576,
     verifyClient: (info) => {
+        if (hubMode)
+            return true; // Hub mode doesn't need WS auth
+        // F-18: Session expiry
+        if (Date.now() - sessionCreatedAt > SESSION_TTL)
+            return false;
         const url = new URL(info.req.url, `http://${info.req.headers.host}`);
-        return url.searchParams.get('token') === sessionToken;
+        // F-02: Accept one-time ticket
+        const ticket = url.searchParams.get('ticket');
+        if (ticket && tickets.has(ticket)) {
+            const t = tickets.get(ticket);
+            tickets.delete(ticket); // Single use
+            return t.expires > Date.now();
+        }
+        // Backward compat: accept token
+        if (url.searchParams.get('token') !== sessionToken)
+            return false;
+        // Validate origin if present
+        // #28: Proper origin validation using URL parsing
+        const origin = info.req.headers.origin;
+        if (origin) {
+            try {
+                const originUrl = new URL(origin);
+                const host = originUrl.hostname;
+                if (host !== 'localhost' && host !== '127.0.0.1' && !host.endsWith('.devtunnels.ms')) {
+                    return false;
+                }
+            }
+            catch {
+                return false;
+            }
+        }
+        return true;
     },
 });
 // ─── Security: Audit log for remote PTY input ──────────────
-const auditLogPath = path.join(os.tmpdir(), `cli-tunnel-audit-${Date.now()}.log`);
+const auditDir = path.join(os.homedir(), '.cli-tunnel', 'audit');
+fs.mkdirSync(auditDir, { recursive: true, mode: 0o700 });
+const auditLogPath = path.join(auditDir, `audit-${new Date().toISOString().slice(0, 10)}.jsonl`);
 const auditLog = fs.createWriteStream(auditLogPath, { flags: 'a' });
+auditLog.on('error', (err) => { console.error('Audit log error:', err.message); });
 wss.on('connection', (ws, req) => {
-    const id = Math.random().toString(36).substring(2);
+    // F-10: Connection cap
+    if (connections.size >= 5) {
+        ws.close(1013, 'Max connections reached');
+        return;
+    }
+    const id = crypto.randomUUID();
     const remoteAddress = req.socket.remoteAddress || 'unknown';
     connections.set(id, ws);
-    // Replay history with secrets redacted
-    for (const event of acpEventLog) {
-        ws.send(JSON.stringify({ type: '_replay', data: redactSecrets(event) }));
+    // Replay history with secrets redacted (only if replay is enabled)
+    if (hasReplay) {
+        for (const event of acpEventLog) {
+            ws.send(JSON.stringify({ type: '_replay', data: redactSecrets(event) }));
+        }
+        ws.send(JSON.stringify({ type: '_replay_done' }));
     }
-    ws.send(JSON.stringify({ type: '_replay_done' }));
     ws.on('message', (data) => {
         const raw = data.toString();
         try {
             const msg = JSON.parse(raw);
             if (msg.type === 'pty_input' && ptyProcess) {
-                auditLog.write(`${new Date().toISOString()} [${remoteAddress}] ${JSON.stringify(msg.data)}\n`);
+                auditLog.write(JSON.stringify({ ts: new Date().toISOString(), src: remoteAddress, type: 'pty_input', data: redactSecrets(JSON.stringify(msg.data)) }) + '\n');
                 ptyProcess.write(msg.data);
             }
-            if (msg.type === 'pty_resize' && ptyProcess) {
-                const cols = Math.max(1, Math.min(500, msg.cols));
-                const rows = Math.max(1, Math.min(200, msg.rows));
-                ptyProcess.resize(cols, rows);
+            // #7: NaN guard on pty_resize
+            if (msg.type === 'pty_resize') {
+                const cols = Number(msg.cols);
+                const rows = Number(msg.rows);
+                if (Number.isFinite(cols) && Number.isFinite(rows) && ptyProcess) {
+                    ptyProcess.resize(Math.max(1, Math.min(500, cols)), Math.max(1, Math.min(200, rows)));
+                }
             }
         }
         catch {
-            if (ptyProcess)
-                ptyProcess.write(raw + '\r');
+            // #3: Log but do NOT write to PTY — only structured pty_input messages allowed
+            auditLog.write(JSON.stringify({ ts: new Date().toISOString(), type: 'rejected', reason: 'non-json', length: raw.length }) + '\n');
         }
     });
     ws.on('close', () => connections.delete(id));
 });
 function broadcast(data) {
     const msg = JSON.stringify({ type: 'pty', data });
-    acpEventLog.push(msg);
-    if (acpEventLog.length > 2000)
-        acpEventLog.splice(0, acpEventLog.length - 2000);
+    if (hasReplay) {
+        acpEventLog.push(msg);
+        if (acpEventLog.length > 2000)
+            acpEventLog.splice(0, acpEventLog.length - 2000);
+    }
     for (const [, ws] of connections) {
         if (ws.readyState === WebSocket.OPEN)
             ws.send(msg);
@@ -243,7 +396,7 @@ function broadcast(data) {
 let ptyProcess = null;
 async function main() {
     const actualPort = await new Promise((resolve, reject) => {
-        server.listen(port, () => {
+        server.listen(port, '127.0.0.1', () => {
             const addr = server.address();
             resolve(typeof addr === 'object' ? addr.port : port);
         });
@@ -252,60 +405,106 @@ async function main() {
     const { repo, branch } = getGitInfo();
     const machine = os.hostname();
     const displayName = sessionName || command;
-    console.log(`\n${BOLD}cli-tunnel${RESET} ${DIM}v1.0.0${RESET}\n`);
-    console.log(`  ${DIM}Command:${RESET}  ${command} ${commandArgs.join(' ')}`);
-    console.log(`  ${DIM}Name:${RESET}     ${displayName}`);
-    console.log(`  ${DIM}Port:${RESET}     ${actualPort}`);
-    console.log(`  ${DIM}Audit log:${RESET} ${auditLogPath}`);
+    console.log(`\n${BOLD}cli-tunnel${RESET} ${DIM}v1.1.0${RESET}\n`);
+    if (hubMode) {
+        console.log(`  ${BOLD}📋 Hub Mode${RESET} — sessions dashboard`);
+        console.log(`  ${DIM}Port:${RESET}     ${actualPort}\n`);
+    }
+    else {
+        console.log(`  ${DIM}Command:${RESET}  ${command} ${commandArgs.join(' ')}`);
+        console.log(`  ${DIM}Name:${RESET}     ${displayName}`);
+        console.log(`  ${DIM}Port:${RESET}     ${actualPort}`);
+        console.log(`  ${DIM}Audit log:${RESET} ${auditLogPath}`);
+        console.log(`  ${DIM}Local URL:${RESET} http://127.0.0.1:${actualPort}?token=${sessionToken}`);
+        console.log(`  ${DIM}Session expires:${RESET} ${new Date(sessionCreatedAt + SESSION_TTL).toLocaleTimeString()}`);
+    }
     // Tunnel
     if (hasTunnel) {
         // Check if devtunnel is installed
         let devtunnelInstalled = false;
         try {
-            execSync('devtunnel --version', { stdio: 'pipe' });
+            execFileSync('devtunnel', ['--version'], { stdio: 'pipe' });
             devtunnelInstalled = true;
         }
         catch {
             console.log(`\n  ${YELLOW}⚠ devtunnel CLI not found!${RESET}\n`);
-            console.log(`  ${BOLD}To enable remote access, install Microsoft Dev Tunnels:${RESET}\n`);
+            let installCmd = '';
             if (process.platform === 'win32') {
-                console.log(`    ${GREEN}winget install Microsoft.devtunnel${RESET}`);
+                installCmd = 'winget install Microsoft.devtunnel';
             }
             else if (process.platform === 'darwin') {
-                console.log(`    ${GREEN}brew install --cask devtunnel${RESET}`);
+                installCmd = 'brew install --cask devtunnel';
             }
             else {
-                console.log(`    ${GREEN}curl -sL https://aka.ms/DevTunnelCliInstall | bash${RESET}`);
+                installCmd = 'curl -sL https://aka.ms/DevTunnelCliInstall | bash';
             }
-            console.log(`\n  Then authenticate once:\n`);
-            console.log(`    ${GREEN}devtunnel user login${RESET}\n`);
-            console.log(`  ${DIM}More info: https://aka.ms/devtunnels/doc${RESET}\n`);
-            console.log(`  ${DIM}Continuing without tunnel (local only)...${RESET}\n`);
-        }
-        // Check if logged in
-        if (devtunnelInstalled) {
-            try {
-                const userInfo = execSync('devtunnel user show', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
-                if (userInfo.includes('not logged in') || userInfo.includes('No user')) {
-                    throw new Error('not logged in');
+            const answer = await askUser(`  Would you like to install it now? (${GREEN}${installCmd}${RESET}) [Y/n] `);
+            if (answer === '' || answer === 'y' || answer === 'yes') {
+                console.log(`\n  ${DIM}Installing devtunnel...${RESET}\n`);
+                try {
+                    const installParts = installCmd.split(' ');
+                    const installProc = spawn(installParts[0], installParts.slice(1), { stdio: 'inherit', shell: process.platform !== 'win32' && installCmd.includes('|') });
+                    await new Promise((resolve, reject) => {
+                        installProc.on('close', (code) => code === 0 ? resolve() : reject(new Error(`Install exited with code ${code}`)));
+                        installProc.on('error', reject);
+                    });
+                    // Verify installation
+                    execFileSync('devtunnel', ['--version'], { stdio: 'pipe' });
+                    console.log(`\n  ${GREEN}✓${RESET} devtunnel installed successfully!\n`);
+                    devtunnelInstalled = true;
+                }
+                catch (err) {
+                    console.log(`\n  ${YELLOW}⚠${RESET} Installation failed: ${err.message}`);
+                    console.log(`  ${DIM}You can install it manually: ${installCmd}${RESET}\n`);
+                    console.log(`  ${DIM}Continuing without tunnel (local only)...${RESET}\n`);
                 }
             }
-            catch {
-                console.log(`\n  ${YELLOW}⚠ devtunnel not authenticated!${RESET}\n`);
-                console.log(`  Run this once to log in:\n`);
-                console.log(`    ${GREEN}devtunnel user login${RESET}\n`);
+            else {
+                console.log(`\n  ${DIM}More info: https://aka.ms/devtunnels/doc${RESET}`);
                 console.log(`  ${DIM}Continuing without tunnel (local only)...${RESET}\n`);
-                devtunnelInstalled = false;
+            }
+            // If just installed, check login
+            if (devtunnelInstalled) {
+                try {
+                    const userInfo = execFileSync('devtunnel', ['user', 'show'], { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+                    if (userInfo.includes('not logged in') || userInfo.includes('No user')) {
+                        throw new Error('not logged in');
+                    }
+                }
+                catch {
+                    console.log(`  ${YELLOW}⚠ devtunnel not authenticated.${RESET}\n`);
+                    const loginAnswer = await askUser(`  Would you like to log in now? [Y/n] `);
+                    if (loginAnswer === '' || loginAnswer === 'y' || loginAnswer === 'yes') {
+                        try {
+                            const loginProc = spawn('devtunnel', ['user', 'login'], { stdio: 'inherit' });
+                            await new Promise((resolve, reject) => {
+                                loginProc.on('close', (code) => code === 0 ? resolve() : reject(new Error(`Login exited with code ${code}`)));
+                                loginProc.on('error', reject);
+                            });
+                            console.log(`\n  ${GREEN}✓${RESET} Logged in successfully!\n`);
+                        }
+                        catch {
+                            console.log(`\n  ${YELLOW}⚠${RESET} Login failed. Run manually: ${GREEN}devtunnel user login${RESET}\n`);
+                            console.log(`  ${DIM}Continuing without tunnel (local only)...${RESET}\n`);
+                            devtunnelInstalled = false;
+                        }
+                    }
+                    else {
+                        console.log(`\n  ${DIM}Run this once to log in: ${GREEN}devtunnel user login${RESET}`);
+                        console.log(`  ${DIM}Continuing without tunnel (local only)...${RESET}\n`);
+                        devtunnelInstalled = false;
+                    }
+                }
             }
         }
         if (devtunnelInstalled) {
             try {
-                const labels = ['cli-tunnel', sanitizeLabel(sessionName || command), sanitizeLabel(repo), sanitizeLabel(branch), sanitizeLabel(machine), `port-${actualPort}`]
-                    .map(l => `--labels ${l}`).join(' ');
-                const createOut = execSync(`devtunnel create ${labels} --expiration 1d --json`, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+                const labelValues = ['cli-tunnel', sanitizeLabel(sessionName || command), sanitizeLabel(repo), sanitizeLabel(branch), sanitizeLabel(machine), `port-${actualPort}`];
+                const labelArgs = labelValues.flatMap(l => ['--labels', l]);
+                const createOut = execFileSync('devtunnel', ['create', ...labelArgs, '--expiration', '1d', '--json'], { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
                 const tunnelId = JSON.parse(createOut).tunnel?.tunnelId?.split('.')[0];
                 const cluster = JSON.parse(createOut).tunnel?.tunnelId?.split('.')[1] || 'euw';
-                execSync(`devtunnel port create ${tunnelId} -p ${actualPort} --protocol http`, { stdio: 'pipe' });
+                execFileSync('devtunnel', ['port', 'create', tunnelId, '-p', String(actualPort), '--protocol', 'http'], { stdio: 'pipe' });
                 const hostProc = spawn('devtunnel', ['host', tunnelId], { stdio: 'pipe', detached: false });
                 const url = await new Promise((resolve, reject) => {
                     const timeout = setTimeout(() => reject(new Error('Tunnel timeout')), 15000);
@@ -329,11 +528,11 @@ async function main() {
                 }
                 catch { }
                 process.on('SIGINT', () => { hostProc.kill(); try {
-                    execSync(`devtunnel delete ${tunnelId} --force`, { stdio: 'pipe' });
+                    execFileSync('devtunnel', ['delete', tunnelId, '--force'], { stdio: 'pipe' });
                 }
                 catch { } });
                 process.on('exit', () => { hostProc.kill(); try {
-                    execSync(`devtunnel delete ${tunnelId} --force`, { stdio: 'pipe' });
+                    execFileSync('devtunnel', ['delete', tunnelId, '--force'], { stdio: 'pipe' });
                 }
                 catch { } });
             }
@@ -342,6 +541,14 @@ async function main() {
             }
         } // end if (devtunnelInstalled)
     }
+    if (hubMode) {
+        // Hub mode — just serve the sessions dashboard, no PTY
+        console.log(`  ${GREEN}✓${RESET} Hub running — open in browser to see all sessions\n`);
+        console.log(`  ${DIM}Press Ctrl+C to stop.${RESET}\n`);
+        process.on('SIGINT', () => { server.close(); process.exit(0); });
+        // Keep process alive
+        await new Promise(() => { });
+    }
     console.log(`  ${DIM}Starting ${command}...${RESET}\n`);
     // Spawn PTY
     const nodePty = await import('node-pty');
@@ -351,7 +558,7 @@ async function main() {
     let resolvedCmd = command;
     if (process.platform === 'win32') {
         try {
-            const wherePaths = execSync(`where ${command}`, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }).trim().split('\n');
+            const wherePaths = execFileSync('where', [command], { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }).trim().split('\n');
             // Prefer .exe or .cmd over .ps1 for node-pty compatibility
             const exePath = wherePaths.find(p => p.trim().endsWith('.exe')) || wherePaths.find(p => p.trim().endsWith('.cmd'));
             if (exePath) {
@@ -365,11 +572,27 @@ async function main() {
         }
         catch { /* use as-is */ }
     }
-    // Security: filter sensitive environment variables
+    // F-07: Security — allowlist safe environment variables for PTY
+    const SAFE_ENV_VARS = new Set([
+        'PATH', 'HOME', 'USERPROFILE', 'SHELL', 'TERM', 'LANG', 'LC_ALL', 'LC_CTYPE',
+        'USER', 'LOGNAME', 'EDITOR', 'VISUAL', 'COLORTERM', 'TERM_PROGRAM',
+        'HOSTNAME', 'COMPUTERNAME', 'PWD', 'OLDPWD', 'SHLVL', 'TMPDIR', 'TMP', 'TEMP',
+        'XDG_RUNTIME_DIR', 'XDG_DATA_HOME', 'XDG_CONFIG_HOME', 'XDG_CACHE_HOME',
+        'DISPLAY', 'WAYLAND_DISPLAY', 'DBUS_SESSION_BUS_ADDRESS',
+        'PROGRAMFILES', 'PROGRAMFILES(X86)', 'SYSTEMROOT', 'WINDIR', 'COMSPEC',
+        'APPDATA', 'LOCALAPPDATA', 'PROGRAMDATA',
+        'NODE_ENV',
+        'GOPATH', 'GOROOT', 'CARGO_HOME', 'RUSTUP_HOME',
+        'JAVA_HOME', 'MAVEN_HOME', 'GRADLE_HOME',
+        'PYTHONPATH', 'VIRTUAL_ENV', 'CONDA_DEFAULT_ENV',
+        'KUBECONFIG', 'DOCKER_HOST', 'DOCKER_CONFIG',
+        'GIT_AUTHOR_NAME', 'GIT_AUTHOR_EMAIL', 'GIT_COMMITTER_NAME', 'GIT_COMMITTER_EMAIL',
+        'HTTP_PROXY', 'HTTPS_PROXY', 'NO_PROXY', 'http_proxy', 'https_proxy', 'no_proxy',
+        'SSH_AUTH_SOCK', 'GPG_TTY',
+    ]);
     const safeEnv = {};
-    const sensitivePatterns = /token|secret|key|password|credential|api_key|private/i;
     for (const [k, v] of Object.entries(process.env)) {
-        if (!sensitivePatterns.test(k) && v !== undefined) {
+        if (SAFE_ENV_VARS.has(k) && v !== undefined) {
             safeEnv[k] = v;
         }
     }
@@ -378,6 +601,27 @@ async function main() {
         cols, rows, cwd,
         env: safeEnv,
     });
+    // Detect CSPRNG crash (Node.js + node-pty + ConPTY issue) and retry with useConpty: false
+    let ptyExitedEarly = false;
+    const earlyExitCheck = new Promise((resolve) => {
+        ptyProcess.onExit(({ exitCode }) => {
+            if (exitCode === 134 || exitCode === 3221226505) { // 134 = SIGABRT, 3221226505 = STATUS_BREAKPOINT
+                ptyExitedEarly = true;
+                resolve();
+            }
+        });
+        setTimeout(resolve, 2000); // Wait 2s — if still running, it's fine
+    });
+    await earlyExitCheck;
+    if (ptyExitedEarly && process.platform === 'win32') {
+        console.log(`  ${YELLOW}⚠${RESET} ConPTY crash detected, retrying with legacy PTY backend...\n`);
+        ptyProcess = nodePty.spawn(resolvedCmd, commandArgs, {
+            name: 'xterm-256color',
+            cols, rows, cwd,
+            env: safeEnv,
+            useConpty: false,
+        });
+    }
     ptyProcess.onData((data) => {
         process.stdout.write(data);
         broadcast(data);

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "cli-tunnel",
-  "version": "1.1.0",
-  "description": "Tunnel any CLI app to your phone - PTY + devtunnel + xterm.js",
+  "version": "1.2.0-beta.2",
+  "description": "Tunnel any CLI app to your phone — PTY + devtunnel + xterm.js",
   "type": "module",
   "main": "dist/index.js",
   "bin": {

package/remote-ui/app.js CHANGED Viewed

@@ -5,6 +5,27 @@
 (function () {
   'use strict';
+  // ─── Mobile keyboard viewport fix ────────────────────────
+  // Keep the key bar visible above the on-screen keyboard
+  if (window.visualViewport) {
+    window.visualViewport.addEventListener('resize', () => {
+      const vv = window.visualViewport;
+      const inputArea = document.getElementById('input-area');
+      if (inputArea && vv) {
+        const offset = window.innerHeight - vv.height - vv.offsetTop;
+        inputArea.style.transform = offset > 0 ? `translateY(-${offset}px)` : '';
+      }
+    });
+    window.visualViewport.addEventListener('scroll', () => {
+      const vv = window.visualViewport;
+      const inputArea = document.getElementById('input-area');
+      if (inputArea && vv) {
+        const offset = window.innerHeight - vv.height - vv.offsetTop;
+        inputArea.style.transform = offset > 0 ? `translateY(-${offset}px)` : '';
+      }
+    });
+  }
   let ws = null;
   let connected = false;
   let sessionId = null;
@@ -98,7 +119,7 @@
       const data = await resp.json();
       renderDashboard(data.sessions || []);
     } catch (err) {
-      dashboard.innerHTML = '<div style="padding:12px;color:var(--red)">Failed to load sessions: ' + err.message + '</div>';
+      dashboard.innerHTML = '<div style="padding:12px;color:var(--red)">' + escapeHtml('Failed to load sessions: ' + err.message) + '</div>';
     }
   }
@@ -121,7 +142,7 @@
         '</div>';
     } else {
       html += filtered.map(s => `
-        <div class="session-card" ${s.online ? 'onclick="openSession(\'' + escapeHtml(s.url) + '\')"' : ''}>
+        <div class="session-card" ${s.online ? 'data-session-url="' + escapeHtml(s.url) + '"' : ''}>
           <span class="status-dot ${s.online ? 'online' : 'offline'}"></span>
           <div class="info">
             <div class="repo">📦 ${escapeHtml(s.repo)}</div>
@@ -129,11 +150,18 @@
             <div class="machine">💻 ${escapeHtml(s.machine)}</div>
           </div>
           ${s.online ? '<span class="arrow">→</span>' :
-            '<button onclick="event.stopPropagation();deleteSession(\'' + escapeHtml(s.id) + '\')" style="background:none;border:none;color:var(--red);cursor:pointer;font-size:14px" title="Remove">✕</button>'}
+            '<button data-delete-id="' + escapeHtml(s.id) + '" style="background:none;border:none;color:var(--red);cursor:pointer;font-size:14px" title="Remove">✕</button>'}
         </div>
       `).join('');
     }
     dashboard.innerHTML = html;
+    // #16: XSS fix — use event delegation instead of inline onclick
+    dashboard.querySelectorAll('.session-card[data-session-url]').forEach(function(card) {
+      card.addEventListener('click', function() { openSession(card.dataset.sessionUrl); });
+    });
+    dashboard.querySelectorAll('[data-delete-id]').forEach(function(btn) {
+      btn.addEventListener('click', function(e) { e.stopPropagation(); deleteSession(btn.dataset.deleteId); });
+    });
   }
   window.openSession = (url) => {
@@ -338,14 +366,49 @@
     }
   }
+  // ─── Detect hub mode (no token in URL) ────────────────────
+  const isHubMode = !new URLSearchParams(window.location.search).get('token');
   // ─── WebSocket ───────────────────────────────────────────
   let reconnectAttempt = 0;
-  function connect() {
-    const proto = location.protocol === 'https:' ? 'wss:' : 'ws:';
+  async function connect() {
+    if (isHubMode) {
+      // Hub mode — hide terminal UI, show sessions only
+      setStatus('online', 'Hub');
+      terminal.classList.add('hidden');
+      termContainer.classList.add('hidden');
+      $('#input-area').classList.add('hidden');
+      $('#btn-sessions').classList.add('hidden');
+      dashboard.classList.remove('hidden');
+      loadSessions();
+      // Auto-refresh every 10s
+      setInterval(loadSessions, 10000);
+      return;
+    }
     const tokenParam = new URLSearchParams(window.location.search).get('token');
-    const wsUrl = tokenParam ? `${proto}//${location.host}?token=${encodeURIComponent(tokenParam)}` : `${proto}//${location.host}`;
-    ws = new WebSocket(wsUrl);
+    if (!tokenParam) { setStatus('offline', 'No credentials'); return; }
+    const proto = location.protocol === 'https:' ? 'wss:' : 'ws:';
+    // F-02: Try ticket-based auth first
+    try {
+      const resp = await fetch('/api/auth/ticket', {
+        method: 'POST',
+        headers: { 'Authorization': 'Bearer ' + tokenParam }
+      });
+      if (resp.ok) {
+        const { ticket } = await resp.json();
+        ws = new WebSocket(`${proto}//${location.host}?ticket=${encodeURIComponent(ticket)}`);
+      } else {
+        // Fallback to token-in-URL (backward compat)
+        ws = new WebSocket(`${proto}//${location.host}?token=${encodeURIComponent(tokenParam)}`);
+      }
+    } catch {
+      // Fallback to token-in-URL
+      ws = new WebSocket(`${proto}//${location.host}?token=${encodeURIComponent(tokenParam)}`);
+    }
     setStatus('connecting', 'Connecting...');
     ws.onopen = () => {
@@ -484,10 +547,12 @@
       <h3>${icon} ${escapeHtml(title)}</h3>
       <p>${escapeHtml(shortCmd || JSON.stringify(p).substring(0, 200))}</p>
       <div class="perm-actions">
-        <button class="btn-deny" onclick="handlePerm(${msg.id}, false)">Deny</button>
-        <button class="btn-approve" onclick="handlePerm(${msg.id}, true)">Approve</button>
+        <button class="btn-deny">Deny</button>
+        <button class="btn-approve">Approve</button>
       </div>
     </div>`;
+    permOverlay.querySelector('.btn-deny').addEventListener('click', () => window.handlePerm(msg.id, false));
+    permOverlay.querySelector('.btn-approve').addEventListener('click', () => window.handlePerm(msg.id, true));
   }
   window.handlePerm = (id, approved) => {
     if (ws?.readyState === WebSocket.OPEN) {

package/remote-ui/styles.css CHANGED Viewed

@@ -172,6 +172,9 @@ header {
   background: var(--bg-tool);
   border-top: 1px solid var(--border);
   flex-shrink: 0;
+  position: sticky;
+  bottom: 0;
+  z-index: 10;
 }
 #key-bar {
   display: flex;