codehost 0.1.0

package/src/server.ts

@@ -0,0 +1,69 @@
+#!/usr/bin/env bun
+import { Hono } from "hono";
+import { serveStatic } from "hono/bun";
+import { cors } from "hono/cors";
+import {
+  getOrCreateSession,
+  handleWsClose,
+  handleWsMessage,
+  handleWsOpen,
+  listSessions,
+  sessionKeyForCwd,
+  validateCwd,
+  type WsData,
+} from "./terminal-ws";
+
+const PORT = parseInt(process.env.PORT ?? "3001");
+const app = new Hono();
+
+app.use("*", cors({ origin: "*" }));
+
+// Health check
+app.get("/api/health", (c) => c.json({ ok: true }));
+
+// List terminal sessions
+app.get("/api/sessions", (c) => c.json(listSessions()));
+
+// Serve built frontend in production
+app.use("*", serveStatic({ root: "./dist/public" }));
+app.get("*", serveStatic({ path: "./dist/public/index.html" }));
+
+Bun.serve<WsData>({
+  port: PORT,
+
+  fetch(req, server) {
+    const url = new URL(req.url);
+
+    // WebSocket upgrade for terminal
+    if (url.pathname === "/ws") {
+      const rawCwd = url.searchParams.get("cwd");
+      const cols = parseInt(url.searchParams.get("cols") ?? "80");
+      const rows = parseInt(url.searchParams.get("rows") ?? "24");
+
+      let cwd: string;
+      try {
+        cwd = validateCwd(rawCwd);
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        return new Response(msg, { status: 400 });
+      }
+
+      const sessionKey = sessionKeyForCwd(cwd);
+      getOrCreateSession(sessionKey, cwd, cols, rows);
+
+      const upgraded = server.upgrade(req, { data: { sessionKey } });
+      if (upgraded) return;
+      return new Response("WebSocket upgrade failed", { status: 426 });
+    }
+
+    return app.fetch(req);
+  },
+
+  websocket: {
+    open: handleWsOpen,
+    message: handleWsMessage,
+    close: handleWsClose,
+  },
+});
+
+console.log(`Codehost server listening on http://localhost:${PORT}`);

package/src/shared/protocol.ts

@@ -0,0 +1,160 @@
+// Binary framing for multiplexing HTTP requests and WebSocket streams over a
+// single WebRTC data channel. One data-channel message == one frame:
+//
+//   byte 0      : opcode
+//   bytes 1..4  : streamId (uint32, big-endian)
+//   bytes 5..   : payload (raw bytes; JSON-encoded for control frames)
+//
+// The browser (Service Worker / WS shim, via the page) is the client; the
+// daemon is the server proxying to the local `code serve-web` instance.
+
+export enum Op {
+  // HTTP client -> server
+  HttpReq = 1, // JSON { method, path, headers }
+  HttpReqBody = 2, // raw bytes
+  HttpReqEnd = 3,
+  // HTTP server -> client
+  HttpResHead = 4, // JSON { status, statusText, headers }
+  HttpResBody = 5, // raw bytes
+  HttpResEnd = 6,
+  // WebSocket client -> server
+  WsOpen = 7, // JSON { path, protocols? }
+  WsText = 9, // utf-8 text
+  WsBin = 10, // raw bytes
+  WsClose = 11, // JSON { code?, reason? }
+  // WebSocket server -> client
+  WsOpenAck = 8, // JSON { ok, protocol? }
+  // either direction
+  Error = 12, // JSON { message }
+  // WebSocket continuation: raw bytes prepended to the next WsText/WsBin frame
+  // of the same stream, so a single WS message can span multiple frames.
+  WsCont = 13,
+}
+
+// WebRTC data-channel messages must stay small to be portable: 16 KiB is the
+// largest size every WebRTC stack (libdatachannel, Chrome, Firefox) reliably
+// accepts. A frame is [op:1][streamId:4][payload], so the payload budget is
+// 16 KiB minus the 5-byte header.
+export const FRAME_HEADER = 5;
+export const MAX_FRAME = 16 * 1024;
+/** Max payload bytes per frame; larger bodies/messages are split across frames. */
+export const MAX_CHUNK = MAX_FRAME - FRAME_HEADER;
+
+export interface HttpReqHead {
+  method: string;
+  path: string;
+  headers: Record<string, string>;
+}
+
+export interface HttpResHead {
+  status: number;
+  statusText: string;
+  headers: Record<string, string>;
+}
+
+const enc = new TextEncoder();
+const dec = new TextDecoder();
+
+export function encodeFrame(op: Op, streamId: number, payload?: Uint8Array): Uint8Array {
+  const len = payload?.byteLength ?? 0;
+  const buf = new Uint8Array(5 + len);
+  buf[0] = op;
+  new DataView(buf.buffer).setUint32(1, streamId >>> 0, false);
+  if (payload && len) buf.set(payload, 5);
+  return buf;
+}
+
+export function encodeJson(op: Op, streamId: number, obj: unknown): Uint8Array {
+  return encodeFrame(op, streamId, enc.encode(JSON.stringify(obj)));
+}
+
+export function encodeText(op: Op, streamId: number, text: string): Uint8Array {
+  return encodeFrame(op, streamId, enc.encode(text));
+}
+
+export interface DecodedFrame {
+  op: Op;
+  streamId: number;
+  payload: Uint8Array;
+}
+
+export function decodeFrame(data: ArrayBuffer | Uint8Array): DecodedFrame {
+  const u8 = data instanceof Uint8Array ? data : new Uint8Array(data);
+  const op = u8[0] as Op;
+  const streamId = new DataView(u8.buffer, u8.byteOffset, u8.byteLength).getUint32(1, false);
+  const payload = u8.subarray(5);
+  return { op, streamId, payload };
+}
+
+export function payloadJson<T>(payload: Uint8Array): T {
+  return JSON.parse(dec.decode(payload)) as T;
+}
+
+export function payloadText(payload: Uint8Array): string {
+  return dec.decode(payload);
+}
+
+/** Split a body into MAX_CHUNK-sized slices (copies, safe to transfer). */
+export function* chunk(body: Uint8Array): Generator<Uint8Array> {
+  for (let off = 0; off < body.byteLength; off += MAX_CHUNK) {
+    yield body.slice(off, Math.min(off + MAX_CHUNK, body.byteLength));
+  }
+}
+
+export function concatBytes(parts: Uint8Array[]): Uint8Array {
+  if (parts.length === 1) return parts[0];
+  const total = parts.reduce((n, p) => n + p.byteLength, 0);
+  const out = new Uint8Array(total);
+  let off = 0;
+  for (const p of parts) {
+    out.set(p, off);
+    off += p.byteLength;
+  }
+  return out;
+}
+
+/**
+ * Frames for one WebSocket message. Messages that fit in a single frame emit
+ * just a WsText/WsBin frame (back-compatible). Larger ones are split into
+ * WsCont frames carrying the leading bytes, terminated by the WsText/WsBin
+ * frame with the final bytes; the receiver concatenates them in order.
+ */
+export function* wsMessageFrames(
+  terminal: Op.WsText | Op.WsBin,
+  streamId: number,
+  payload: Uint8Array,
+): Generator<Uint8Array> {
+  let off = 0;
+  while (payload.byteLength - off > MAX_CHUNK) {
+    yield encodeFrame(Op.WsCont, streamId, payload.subarray(off, off + MAX_CHUNK));
+    off += MAX_CHUNK;
+  }
+  yield encodeFrame(terminal, streamId, payload.subarray(off));
+}
+
+/**
+ * Reassembles WsCont + terminal frames back into whole WebSocket messages,
+ * keyed by streamId. Feed it every WsCont/WsText/WsBin payload; it returns the
+ * complete message bytes on a terminal frame, or null while buffering.
+ */
+export class WsReassembler {
+  private pending = new Map<number, Uint8Array[]>();
+
+  cont(streamId: number, payload: Uint8Array): void {
+    const buf = this.pending.get(streamId);
+    if (buf) buf.push(payload.slice());
+    else this.pending.set(streamId, [payload.slice()]);
+  }
+
+  finish(streamId: number, payload: Uint8Array): Uint8Array {
+    const buf = this.pending.get(streamId);
+    if (!buf) return payload;
+    this.pending.delete(streamId);
+    buf.push(payload);
+    return concatBytes(buf);
+  }
+
+  drop(streamId: number): void {
+    this.pending.delete(streamId);
+  }
+}

package/src/shared/rtc.ts

@@ -0,0 +1,26 @@
+// WebRTC signal payloads carried inside the signaling relay's `data` field.
+// The browser (viewer) is always the initiator/offerer; the daemon (server)
+// answers. STUN-only for v1 (TURN can be added to ICE_SERVERS later).
+
+export const ICE_SERVERS = [
+  "stun:stun.l.google.com:19302",
+  "stun:stun1.l.google.com:19302",
+];
+
+export interface SdpSignal {
+  kind: "offer" | "answer";
+  type: "offer" | "answer";
+  sdp: string;
+}
+
+export interface CandidateSignal {
+  kind: "candidate";
+  candidate: string;
+  /** sdpMid / media line id. */
+  mid: string;
+}
+
+export type RtcSignal = SdpSignal | CandidateSignal;
+
+/** Label used for the control/tunnel data channel. */
+export const CHANNEL_LABEL = "codehost";

package/src/shared/signaling-client.ts

@@ -0,0 +1,135 @@
+import {
+  type ClientMessage,
+  type PeerInfo,
+  type PeerMeta,
+  type Role,
+  type ServerMessage,
+  newPeerId,
+} from "./signaling";
+
+export interface SignalingClientOptions {
+  /** Base signaling URL, e.g. wss://signal.codehost.dev */
+  url: string;
+  token: string;
+  role: Role;
+  meta?: PeerMeta;
+  peerId?: string;
+  onPeers?: (peers: PeerInfo[]) => void;
+  onSignal?: (from: string, data: unknown) => void;
+  onOpen?: () => void;
+  onClose?: () => void;
+}
+
+/**
+ * Thin WebSocket client for the signaling room. Runs unchanged in the browser
+ * and in Bun (both expose a global `WebSocket`). Auto-reconnects with backoff
+ * and re-sends `hello` on every (re)connect.
+ */
+export class SignalingClient {
+  readonly peerId: string;
+  private ws: WebSocket | null = null;
+  private closed = false;
+  private reconnectDelay = 1000;
+  private heartbeat: ReturnType<typeof setInterval> | null = null;
+
+  constructor(private opts: SignalingClientOptions) {
+    this.peerId = opts.peerId ?? newPeerId();
+  }
+
+  connect(): void {
+    this.closed = false;
+    this.open();
+  }
+
+  private roomUrl(): string {
+    const base = this.opts.url.replace(/\/+$/, "");
+    return `${base}/room/${encodeURIComponent(this.opts.token)}`;
+  }
+
+  private open(): void {
+    const ws = new WebSocket(this.roomUrl());
+    this.ws = ws;
+
+    ws.onopen = () => {
+      this.reconnectDelay = 1000;
+      const hello: ClientMessage = {
+        type: "hello",
+        role: this.opts.role,
+        peerId: this.peerId,
+        ...(this.opts.meta ? { meta: this.opts.meta } : {}),
+      };
+      ws.send(JSON.stringify(hello));
+      this.startHeartbeat();
+      this.opts.onOpen?.();
+    };
+
+    ws.onmessage = (ev: MessageEvent) => {
+      let msg: ServerMessage;
+      try {
+        msg = JSON.parse(String(ev.data));
+      } catch {
+        return;
+      }
+      if (msg.type === "peers") this.opts.onPeers?.(msg.peers);
+      else if (msg.type === "signal") this.opts.onSignal?.(msg.from, msg.data);
+    };
+
+    ws.onclose = () => {
+      this.stopHeartbeat();
+      this.opts.onClose?.();
+      if (!this.closed) this.scheduleReconnect();
+    };
+
+    ws.onerror = () => {
+      try {
+        ws.close();
+      } catch {
+        // ignore
+      }
+    };
+  }
+
+  // Heartbeat keeps the room's liveness sweep from evicting us. At 10s, the DO
+  // (STALE_MS 35s) tolerates ~3 missed beats before treating us as gone — fast
+  // enough that a crashed peer stops showing as a phantom server within ~1 sweep.
+  private startHeartbeat(): void {
+    this.stopHeartbeat();
+    this.heartbeat = setInterval(() => {
+      try {
+        this.ws?.send(JSON.stringify({ type: "ping" }));
+      } catch {
+        // socket gone; onclose will reconnect
+      }
+    }, 10000);
+  }
+
+  private stopHeartbeat(): void {
+    if (this.heartbeat != null) {
+      clearInterval(this.heartbeat);
+      this.heartbeat = null;
+    }
+  }
+
+  private scheduleReconnect(): void {
+    const delay = this.reconnectDelay;
+    this.reconnectDelay = Math.min(delay * 2, 15000);
+    setTimeout(() => {
+      if (!this.closed) this.open();
+    }, delay);
+  }
+
+  sendSignal(to: string, data: unknown): void {
+    const msg: ClientMessage = { type: "signal", to, data };
+    this.ws?.send(JSON.stringify(msg));
+  }
+
+  close(): void {
+    this.closed = true;
+    this.stopHeartbeat();
+    try {
+      this.ws?.close();
+    } catch {
+      // ignore
+    }
+  }
+}

package/src/shared/signaling.ts

@@ -0,0 +1,75 @@
+// Signaling protocol shared by the browser, the CLI daemon, and the Cloudflare
+// Worker / Durable Object. A "room" is keyed by the user's token; every member
+// of a room can see the others and exchange WebRTC SDP/ICE via the relay.
+
+export type Role = "server" | "viewer";
+
+/** Metadata a `codehost serve` daemon advertises about itself. */
+export interface PeerMeta {
+  /** Human label, defaults to hostname. */
+  name: string;
+  /** Directory the VS Code instance is serving. */
+  cwd: string;
+  /** Hostname of the machine running the daemon. */
+  host: string;
+}
+
+export interface PeerInfo {
+  peerId: string;
+  role: Role;
+  meta: PeerMeta | null;
+}
+
+// ---- Client -> Server ----
+
+/** First message after connecting: identify role + (for servers) metadata. */
+export interface HelloMessage {
+  type: "hello";
+  role: Role;
+  peerId: string;
+  meta?: PeerMeta;
+}
+
+/** Relay a WebRTC signal (offer / answer / ICE candidate) to another peer. */
+export interface SignalMessage {
+  type: "signal";
+  to: string;
+  /** Opaque payload: { sdp } or { candidate }. */
+  data: unknown;
+}
+
+/** Liveness heartbeat. The room evicts members that stop sending these, so a
+ *  hard-killed daemon (whose WebSocket lingers until the edge times it out)
+ *  doesn't haunt the peer list as a dead server. */
+export interface PingMessage {
+  type: "ping";
+}
+
+export type ClientMessage = HelloMessage | SignalMessage | PingMessage;
+
+// ---- Server -> Client ----
+
+/** Confirms connection and echoes the assigned peerId. */
+export interface WelcomeMessage {
+  type: "welcome";
+  peerId: string;
+}
+
+/** Current room membership; sent on join and whenever it changes. */
+export interface PeersMessage {
+  type: "peers";
+  peers: PeerInfo[];
+}
+
+/** A signal relayed from another peer. */
+export interface RelayedSignalMessage {
+  type: "signal";
+  from: string;
+  data: unknown;
+}
+
+export type ServerMessage = WelcomeMessage | PeersMessage | RelayedSignalMessage;
+
+export function newPeerId(): string {
+  return crypto.randomUUID();
+}

package/src/shared/token.ts

@@ -0,0 +1,74 @@
+// Room-token complexity policy, shared by the browser, the CLI daemon, and the
+// Cloudflare Worker. The token is a bearer secret — anyone who has it can see
+// and connect to every server in the room — so a guessable token is a real
+// compromise. These rules are the single source of truth; all three entry
+// points (CLI `serve`, the codehost.dev token form, and the Worker's /room
+// route) validate against them so a weak token can't slip in from any side.
+
+/** Minimum token length. Short tokens are brute-forceable bearer secrets. */
+export const TOKEN_MIN_LENGTH = 12;
+/** Upper bound, mostly to keep URLs and storage sane. */
+export const TOKEN_MAX_LENGTH = 256;
+/** How many of {lowercase, uppercase, digit, symbol} a token must mix. */
+export const TOKEN_MIN_CHAR_CLASSES = 3;
+
+/** Human-readable summary of the policy, for CLI errors and the UI hint. */
+export const TOKEN_REQUIREMENTS =
+  `at least ${TOKEN_MIN_LENGTH} characters, no spaces, ` +
+  `mixing at least ${TOKEN_MIN_CHAR_CLASSES} of: lowercase, uppercase, digits, symbols`;
+
+// Obviously weak tokens that technically pass the structural rules but are the
+// first things an attacker tries. Compared case-insensitively after trimming.
+const WEAK_TOKENS = new Set([
+  "changeme1234",
+  "password1234",
+  "codehost1234",
+  "letmein12345",
+]);
+
+const CLASS_PATTERNS = [/[a-z]/, /[A-Z]/, /[0-9]/, /[^a-zA-Z0-9]/];
+
+export interface TokenCheck {
+  ok: boolean;
+  /** Present when `ok` is false: why the token was rejected. */
+  reason?: string;
+}
+
+/**
+ * Validate a room token against the complexity policy. Does not trim — callers
+ * should pass the already-trimmed token (a leading/trailing space is itself a
+ * footgun in a shared secret, so embedded whitespace is rejected outright).
+ */
+export function validateToken(token: string): TokenCheck {
+  if (token.length < TOKEN_MIN_LENGTH) {
+    return { ok: false, reason: `token must be at least ${TOKEN_MIN_LENGTH} characters` };
+  }
+  if (token.length > TOKEN_MAX_LENGTH) {
+    return { ok: false, reason: `token must be at most ${TOKEN_MAX_LENGTH} characters` };
+  }
+  if (/\s/.test(token)) {
+    return { ok: false, reason: "token must not contain whitespace" };
+  }
+  const classes = CLASS_PATTERNS.filter((re) => re.test(token)).length;
+  if (classes < TOKEN_MIN_CHAR_CLASSES) {
+    return {
+      ok: false,
+      reason: `token must mix at least ${TOKEN_MIN_CHAR_CLASSES} of: lowercase, uppercase, digits, symbols`,
+    };
+  }
+  if (WEAK_TOKENS.has(token.toLowerCase())) {
+    return { ok: false, reason: "token is too common; choose a unique secret" };
+  }
+  return { ok: true };
+}
+
+/** Convenience: a strong random token that satisfies the policy. */
+export function generateToken(): string {
+  const alphabet = "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz23456789-_";
+  const bytes = new Uint8Array(24);
+  crypto.getRandomValues(bytes);
+  let out = "";
+  for (const b of bytes) out += alphabet[b % alphabet.length];
+  // Guarantee class coverage regardless of how the random draw landed.
+  return `${out}aA1-`;
+}

package/src/style.css

@@ -0,0 +1,13 @@
+*, *::before, *::after {
+  box-sizing: border-box;
+  margin: 0;
+  padding: 0;
+}
+
+html, body, #root {
+  height: 100%;
+  width: 100%;
+  overflow: hidden;
+  background: #1f1f1f;
+  font-family: system-ui, sans-serif;
+}