codehost 0.20.4 → 0.21.0

package/src/cli/rtc-daemon.ts

@@ -69,27 +69,39 @@ function nativeLoadError(cause: unknown): Error {
 }
 
 export interface RtcDaemonOptions {
-  /** Relay a signal to a viewer peer via the signaling channel. */
+  /** Relay a signal to a client peer via the signaling channel. */
   sendSignal: (to: string, data: RtcSignal) => void;
-  /** Called when a viewer's data channel opens. */
-  onChannel: (viewerId: string, channel: DataChannel) => void;
+  /** Called when a client's data channel opens. */
+  onChannel: (clientId: string, channel: DataChannel) => void;
+  /**
+   * Admission gate. Resolve true to answer the client's offer, false to deny.
+   * Until it resolves we buffer the answer + local ICE so a pending client never
+   * completes a connection. Omitted → admit everyone (default).
+   */
+  admit?: (clientId: string) => Promise<boolean>;
+  /** Called once when a client's connection is torn down (drop / deny / kick). */
+  onClose?: (clientId: string) => void;
 }
 
-interface ViewerConn {
+interface ClientConn {
   pc: PeerConnectionT;
+  /** True once the host has admitted this client; gates outbound answer/ICE. */
+  admitted: boolean;
+  /** Outbound signals withheld while admission is pending. */
+  buffered: RtcSignal[];
 }
 
 /**
- * Daemon-side WebRTC manager. The browser (viewer) is the offerer; for each
- * viewer that sends an offer we create an answering PeerConnection and surface
+ * Daemon-side WebRTC manager. The browser (client) is the offerer; for each
+ * client that sends an offer we create an answering PeerConnection and surface
  * its data channel. STUN-only.
  */
 export class RtcDaemon {
-  private viewers = new Map<string, ViewerConn>();
+  private clients = new Map<string, ClientConn>();
 
   constructor(private opts: RtcDaemonOptions) {}
 
-  /** Route an inbound signaling payload from a viewer. */
+  /** Route an inbound signaling payload from a client. */
   handleSignal(from: string, data: unknown): void {
     const sig = data as RtcSignal;
     if (!sig || typeof sig !== "object") return;
@@ -97,7 +109,7 @@ export class RtcDaemon {
     if (sig.kind === "offer") {
       this.acceptOffer(from, sig.sdp);
     } else if (sig.kind === "candidate") {
-      const conn = this.viewers.get(from);
+      const conn = this.clients.get(from);
       if (conn) {
         try {
           conn.pc.addRemoteCandidate(sig.candidate, sig.mid);
@@ -108,60 +120,88 @@ export class RtcDaemon {
     }
   }
 
-  private acceptOffer(viewerId: string, sdp: string): void {
-    // Replace any prior connection for this viewer (e.g. page reload).
-    this.dropViewer(viewerId);
+  /** Close a specific client's connection (host kick). */
+  close(clientId: string): void {
+    this.dropClient(clientId);
+  }
+
+  private acceptOffer(clientId: string, sdp: string): void {
+    // Replace any prior connection for this client (e.g. page reload).
+    this.dropClient(clientId);
 
-    const pc = new ndc.PeerConnection(`viewer-${viewerId.slice(0, 8)}`, {
+    const pc = new ndc.PeerConnection(`client-${clientId.slice(0, 8)}`, {
       iceServers: ICE_SERVERS,
     });
-    this.viewers.set(viewerId, { pc });
+    const conn: ClientConn = { pc, admitted: false, buffered: [] };
+    this.clients.set(clientId, conn);
+
+    // Withhold the answer + our ICE until the host admits this client; we still
+    // accept the offer + remote candidates so ICE is ready to flush instantly.
+    const emit = (sig: RtcSignal) => {
+      if (conn.admitted) this.opts.sendSignal(clientId, sig);
+      else conn.buffered.push(sig);
+    };
 
     pc.onLocalDescription((localSdp, type) => {
-      this.opts.sendSignal(viewerId, {
-        kind: type as "answer",
-        type: type as "answer",
-        sdp: localSdp,
-      });
+      emit({ kind: type as "answer", type: type as "answer", sdp: localSdp });
     });
 
     pc.onLocalCandidate((candidate, mid) => {
-      this.opts.sendSignal(viewerId, { kind: "candidate", candidate, mid });
+      emit({ kind: "candidate", candidate, mid });
     });
 
     pc.onStateChange((state) => {
-      console.log(`[rtc] ${viewerId.slice(0, 8)} state: ${state}`);
+      console.log(`[rtc] ${clientId.slice(0, 8)} state: ${state}`);
       if (state === "disconnected" || state === "failed" || state === "closed") {
-        this.dropViewer(viewerId);
+        this.dropClient(clientId);
       }
     });
 
     pc.onDataChannel((dc) => {
-      console.log(`[rtc] ${viewerId.slice(0, 8)} channel "${dc.getLabel()}" open`);
-      this.opts.onChannel(viewerId, dc);
+      console.log(`[rtc] ${clientId.slice(0, 8)} channel "${dc.getLabel()}" open`);
+      this.opts.onChannel(clientId, dc);
     });
 
     try {
       pc.setRemoteDescription(sdp, "offer");
     } catch (err) {
-      console.error(`[rtc] setRemoteDescription failed for ${viewerId.slice(0, 8)}:`, err);
-      this.dropViewer(viewerId);
+      console.error(`[rtc] setRemoteDescription failed for ${clientId.slice(0, 8)}:`, err);
+      this.dropClient(clientId);
+      return;
     }
+
+    const admit = this.opts.admit ? this.opts.admit(clientId) : Promise.resolve(true);
+    admit
+      .then((ok) => {
+        // The client may have reloaded/dropped while we waited — only act if
+        // this exact connection is still current.
+        if (this.clients.get(clientId) !== conn) return;
+        if (!ok) {
+          this.opts.sendSignal(clientId, { kind: "denied" });
+          this.dropClient(clientId);
+          return;
+        }
+        conn.admitted = true;
+        for (const sig of conn.buffered) this.opts.sendSignal(clientId, sig);
+        conn.buffered = [];
+      })
+      .catch(() => this.dropClient(clientId));
   }
 
-  private dropViewer(viewerId: string): void {
-    const conn = this.viewers.get(viewerId);
+  private dropClient(clientId: string): void {
+    const conn = this.clients.get(clientId);
     if (!conn) return;
-    this.viewers.delete(viewerId);
+    this.clients.delete(clientId);
     try {
       conn.pc.close();
     } catch {
       // ignore
     }
+    this.opts.onClose?.(clientId);
   }
 
   closeAll(): void {
-    for (const id of [...this.viewers.keys()]) this.dropViewer(id);
+    for (const id of [...this.clients.keys()]) this.dropClient(id);
     try {
       ndc.cleanup();
     } catch {

package/src/cli/run-server.ts

@@ -1,7 +1,8 @@
 import { watch } from "node:fs";
 import { basename, dirname } from "node:path";
-import { type PeerMeta, newPeerId } from "../shared/signaling";
+import { type PeerMeta, isClientRole, newPeerId } from "../shared/signaling";
 import { SignalingClient } from "../shared/signaling-client";
+import { Approver, type ApprovePolicy } from "./approver";
 import { RtcDaemon } from "./rtc-daemon";
 import { type LocalRequest, Tunnel } from "./tunnel";
 import { handleProvision, isProvisionPath, type ProvisionDeps } from "./provision-server";
@@ -46,6 +47,10 @@ export interface RunServerOptions {
    *  host workspace registry). Watched via their parent directory so the file
    *  may not exist yet. */
   watchFiles?: string[];
+  /** Client admission policy (default "auto"). */
+  approve?: ApprovePolicy;
+  /** Label substrings auto-approved under the "confirm" policy. */
+  allow?: string[];
 }
 
 /** How often a daemon re-enumerates its workspaces (manual clones show up). */
@@ -53,7 +58,7 @@ const META_REFRESH_MS = 60_000;
 
 /**
  * Foreground server loop shared by `serve`, `dev`, and `expose`: register in the
- * signaling room with the given meta and bridge each viewer's data channel to a
+ * signaling room with the given meta and bridge each client's data channel to a
  * local server (VS Code for serve/dev, an arbitrary port for expose). Never
  * resolves.
  */
@@ -68,6 +73,23 @@ export async function runServer(opts: RunServerOptions): Promise<never> {
   const target = await opts.launch(basePath);
 
   let rtc: RtcDaemon;
+
+  // Track client labels from the room roster so approval prompts and the bridge
+  // log name *who* connected (a leaked-token tell), not just an opaque peerId.
+  const clientNames = new Map<string, string>();
+  const labelFor = (clientId: string) => clientNames.get(clientId) ?? "unknown client";
+
+  const approver = new Approver({
+    policy: opts.approve ?? "auto",
+    allow: opts.allow ?? [],
+    kick: (clientId) => {
+      // Tell the client why it's being cut off, then tear down the connection.
+      client.sendSignal(clientId, { kind: "denied" });
+      rtc.close(clientId);
+    },
+    notifyPending: (clientId) => client.sendSignal(clientId, { kind: "pending" }),
+  });
+
   const client = new SignalingClient({
     url: opts.signal,
     token: opts.token,
@@ -82,6 +104,12 @@ export async function runServer(opts: RunServerOptions): Promise<never> {
       const detail = info ? ` (code ${info.code}${info.reason ? ` "${info.reason}"` : ""}, up ${info.ms}ms)` : "";
       console.log(`[codehost] disconnected from signaling${detail}, reconnecting…`);
     },
+    onPeers: (peers) => {
+      clientNames.clear();
+      for (const p of peers) {
+        if (isClientRole(p.role) && p.meta?.name) clientNames.set(p.peerId, p.meta.name);
+      }
+    },
     onSignal: (from, data) => rtc.handleSignal(from, data),
   });
 
@@ -107,14 +135,30 @@ export async function runServer(opts: RunServerOptions): Promise<never> {
         }
       : undefined;
 
+  // A client opens two data channels (interactive + bulk), so onChannel fires
+  // twice per connection — log/register "connected" only on the first.
+  const bridged = new Set<string>();
   rtc = new RtcDaemon({
     sendSignal: (to, data) => client.sendSignal(to, data),
-    onChannel: (viewerId, channel) => {
-      console.log(`[codehost] viewer ${viewerId.slice(0, 8)} connected; bridging to :${target.port}`);
+    admit: (clientId) => approver.admit(clientId, labelFor(clientId)),
+    onChannel: (clientId, channel) => {
+      if (!bridged.has(clientId)) {
+        bridged.add(clientId);
+        const who = labelFor(clientId);
+        console.log(`[codehost] ${who} (${clientId.slice(0, 8)}) connected; bridging to :${target.port}`);
+        approver.onConnected(clientId, who);
+      }
       new Tunnel(channel, target.port, target.stripBasePath, onLocal);
     },
+    onClose: (clientId) => {
+      bridged.delete(clientId);
+      approver.onDisconnected(clientId);
+    },
   });
 
+  approver.banner();
+  approver.start();
+
   client.connect();
   if (opts.refreshMeta) {
     setInterval(refreshMeta, opts.metaRefreshMs ?? META_REFRESH_MS);
@@ -144,6 +188,7 @@ export async function runServer(opts: RunServerOptions): Promise<never> {
 
   const shutdown = () => {
     console.log("\n[codehost] shutting down");
+    approver.stop();
     rtc.closeAll();
     client.close();
     target.stop?.();

package/src/shared/repo.ts

@@ -219,7 +219,7 @@ export function resolveRepoTarget(
     .sort(
       (a, b) =>
         Number(prefers(b.meta, prefer)) - Number(prefers(a.meta, prefer)) ||
-        (b.meta?.cwd.length ?? 0) - (a.meta?.cwd.length ?? 0),
+        (b.meta?.cwd?.length ?? 0) - (a.meta?.cwd?.length ?? 0),
     );
 
   // A root that *enumerated* a matching checkout knows it exists on disk —
@@ -233,7 +233,7 @@ export function resolveRepoTarget(
   }
 
   const root = roots[0];
-  if (root && root.meta) {
+  if (root && root.meta?.cwd) {
     const folder = `${trimSlash(root.meta.cwd)}/${fillLayout(root.meta.layout || DEFAULT_LAYOUT, target)}`;
     return { peerId: root.peerId, folder };
   }
@@ -250,7 +250,7 @@ export function resolveRepoTarget(
 export function resolveDevTarget(servers: PeerInfo[], target: DevTarget): Resolution | null {
   const want = stripEnds(target.path);
   const hostOk = (meta: PeerMeta) => !target.host || meta.host === target.host;
-  const hit = servers.find((s) => s.meta && stripEnds(s.meta.cwd) === want && hostOk(s.meta));
+  const hit = servers.find((s) => s.meta?.cwd && stripEnds(s.meta.cwd) === want && hostOk(s.meta));
   if (hit) return { peerId: hit.peerId };
   for (const s of servers) {
     if (!s.meta || !hostOk(s.meta)) continue;

package/src/shared/rtc.ts

@@ -20,7 +20,27 @@ export interface CandidateSignal {
   mid: string;
 }
 
-export type RtcSignal = SdpSignal | CandidateSignal;
+/**
+ * Host-side admission control, relayed opaquely like any other signal. The
+ * daemon sends "pending" while a client awaits the host's approval and "denied"
+ * if the host rejects (or kicks) it — so the client can show why it's waiting or
+ * was cut off, instead of a silent hang. Approval needs no signal: the daemon
+ * just answers the offer. Old daemons never send these; old clients ignore an
+ * unknown `kind`, so this is backward compatible both ways.
+ */
+export interface ControlSignal {
+  kind: "pending" | "denied";
+}
+
+export type RtcSignal = SdpSignal | CandidateSignal | ControlSignal;
 
 /** Label used for the control/tunnel data channel. */
 export const CHANNEL_LABEL = "codehost";
+/**
+ * Second data channel for bulk HTTP bodies. Separate channel = separate SCTP
+ * stream, so multi-MB asset downloads no longer head-of-line block the
+ * interactive WS traffic (VS Code remote protocol, terminal) on
+ * CHANNEL_LABEL. The daemon spins up one Tunnel per incoming channel, so old
+ * daemons handle this unmodified; old browsers simply never open it.
+ */
+export const BULK_CHANNEL_LABEL = "codehost-bulk";

package/src/shared/signaling-client.ts

@@ -14,7 +14,7 @@ export interface SignalingClientOptions {
   role: Role;
   meta?: PeerMeta;
   peerId?: string;
-  onPeers?: (peers: PeerInfo[]) => void;
+  onPeers?: (peers: PeerInfo[], now?: number) => void;
   onSignal?: (from: string, data: unknown) => void;
   onOpen?: () => void;
   /** Called on every socket close. `info` carries the WebSocket close code,
@@ -192,7 +192,7 @@ export class SignalingClient {
       } catch {
         return;
       }
-      if (msg.type === "peers") this.opts.onPeers?.(msg.peers);
+      if (msg.type === "peers") this.opts.onPeers?.(msg.peers, msg.now);
       else if (msg.type === "signal") this.opts.onSignal?.(msg.from, msg.data);
     };
 

package/src/shared/signaling.ts

@@ -2,7 +2,26 @@
 // Worker / Durable Object. A "room" is keyed by the user's token; every member
 // of a room can see the others and exchange WebRTC SDP/ICE via the relay.
 
-export type Role = "server" | "viewer";
+/**
+ * Room roles. A connecting browser is a "client"; "viewer" is the legacy wire
+ * value for the same role, kept so older daemons/pages still interop (the term
+ * understated the access — a connected client gets the host's full VS Code:
+ * terminal + file write). Backward-compat plan ("accept both, emit old"):
+ * receivers treat client and viewer alike via `isClientRole`, and new code
+ * still EMITS the legacy `CLIENT_WIRE_ROLE` ("viewer") until daemons have rolled
+ * forward; a later release flips the emit to "client".
+ */
+export type Role = "server" | "client" | "viewer";
+
+/** The connecting-role value new code emits. Still the legacy "viewer" during
+ *  the accept-both transition; flip to "client" once daemons recognize it. */
+export const CLIENT_WIRE_ROLE: Role = "viewer";
+
+/** True for either spelling of the connecting (browser) role. Use everywhere a
+ *  receiver decides "is this peer a client" so both old and new peers match. */
+export function isClientRole(role: Role): boolean {
+  return role === "client" || role === "viewer";
+}
 
 /** One live agent CLI session on the daemon's machine (sourced from agent-yes's
  *  registry) — advertised so clients can see which agents run where. Interact
@@ -36,14 +55,19 @@ export interface WorkspaceInfo {
   config?: boolean;
 }
 
-/** Metadata a `codehost serve`/`dev` daemon advertises about itself. */
+/**
+ * Metadata a room member advertises. Servers (`codehost serve`/`dev`) fill the
+ * workspace fields; a client (the codehost.dev page) sends just `name` as its
+ * roster label and leaves the server-only fields unset — hence everything but
+ * `name` is optional.
+ */
 export interface PeerMeta {
-  /** Human label, defaults to hostname. */
+  /** Human label. Server: defaults to hostname. Client: a browser/OS label. */
   name: string;
-  /** Directory the VS Code instance is serving (the repo dir, or the root). */
-  cwd: string;
-  /** Hostname of the machine running the daemon. */
-  host: string;
+  /** Server only: directory the VS Code instance is serving (repo dir or root). */
+  cwd?: string;
+  /** Server only: hostname of the machine running the daemon. */
+  host?: string;
   /**
    * Stable machine identity (UUID persisted in ~/.codehost/config.json). All
    * daemons on one machine share it, unlike the per-process peerId, so clients
@@ -84,6 +108,10 @@ export interface PeerInfo {
   peerId: string;
   role: Role;
   meta: PeerMeta | null;
+  /** Worker-stamped join time (ms). Compare against `PeersMessage.now`, which
+   *  is on the same clock, for a roster "connected N ago" without clock skew.
+   *  Absent from older workers. */
+  since?: number;
 }
 
 // ---- Client -> Server ----
@@ -133,6 +161,10 @@ export interface WelcomeMessage {
 export interface PeersMessage {
   type: "peers";
   peers: PeerInfo[];
+  /** Worker wall-clock (ms) at send time — same clock as `PeerInfo.since`, so a
+   *  client renders relative join ages without trusting its own clock. Absent
+   *  from older workers. */
+  now?: number;
 }
 
 /** A signal relayed from another peer. */

package/src/web/conn-broker.ts

@@ -15,9 +15,10 @@ import { TunnelClient, type TunnelLike, type TunnelWsHandlers, type TunnelWsHand
 
 type AnyMsg = Record<string, any>;
 
-/** Creates the RTCPeerConnection for a peer and resolves with its open channel.
+/** Creates the RTCPeerConnection for a peer and resolves with its open
+ *  interactive channel plus the (possibly still-connecting) bulk lane.
  *  Provided by the UI (discovery.tsx) and invoked only when this tab is owner. */
-export type Establish = () => Promise<RTCDataChannel>;
+export type Establish = () => Promise<{ channel: RTCDataChannel; bulk: RTCDataChannel | null }>;
 
 class ConnBroker {
   private port: MessagePort | null = null;
@@ -110,8 +111,8 @@ class ConnBroker {
     if (!establish) return;
     this.establishing.add(peerId);
     try {
-      const channel = await establish();
-      this.locals.set(peerId, new TunnelClient(channel));
+      const { channel, bulk } = await establish();
+      this.locals.set(peerId, new TunnelClient(channel, bulk));
       this.post({ t: "ready", peerId });
       this.resolveReady(peerId);
     } catch (err) {