codehost 0.20.5 → 0.21.0

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+# [0.21.0](https://github.com/snomiao/codehost/compare/v0.20.5...v0.21.0) (2026-06-13)
+
+
+### Features
+
+* room roster, host approval/kick, `codehost open`; rename viewer→client ([f3a2a82](https://github.com/snomiao/codehost/commit/f3a2a8265aa8b1adf95ad764fb6d30d9561c6e3c))
+
 ## [0.20.5](https://github.com/snomiao/codehost/compare/v0.20.4...v0.20.5) (2026-06-12)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codehost",
-  "version": "0.20.5",
+  "version": "0.21.0",
   "type": "module",
   "repository": {
     "type": "git",

package/src/cli/approver.ts

@@ -0,0 +1,212 @@
+import { createInterface, type Interface } from "node:readline";
+
+/**
+ * Host-side admission policy for clients (connecting browsers — each gets a full
+ * VS Code session, so this is a real gate, not just UX).
+ *  - "auto":    admit everyone with the token (default; the token is the gate).
+ *  - "confirm": hold each new client until the host approves it at the terminal,
+ *               unless its label matches a pre-approved `--allow` pattern.
+ */
+export type ApprovePolicy = "auto" | "confirm";
+
+export interface ApproverOptions {
+  policy: ApprovePolicy;
+  /** Case-insensitive label substrings auto-approved even under "confirm". */
+  allow: string[];
+  /** Tear down a live client's connection (kick). */
+  kick: (clientId: string) => void;
+  /** Emit a "pending approval" hint to a client that's now waiting on a human. */
+  notifyPending: (clientId: string) => void;
+  /** Whether stdin is an interactive terminal (defaults to process.stdin.isTTY). */
+  isTTY?: boolean;
+  /** Injected input/output for tests; default to the real process streams. */
+  input?: NodeJS.ReadableStream;
+  output?: NodeJS.WritableStream;
+  log?: (msg: string) => void;
+}
+
+interface Pending {
+  clientId: string;
+  label: string;
+  resolve: (ok: boolean) => void;
+}
+
+/**
+ * Decides whether to admit clients and drives an interactive terminal console
+ * for approve / deny / kick / list. Self-contained (no WebRTC deps) so the
+ * daemon stays thin and this stays unit-testable.
+ */
+export class Approver {
+  private opts: ApproverOptions;
+  private isTTY: boolean;
+  private out: NodeJS.WritableStream;
+  private log: (msg: string) => void;
+
+  /** Labels approved with "a(lways)" this session — auto-admit on sight. */
+  private sessionAllow = new Set<string>();
+  /** Live clients (admitted + connected), for `list` / `kick`. */
+  private active = new Map<string, string>();
+  /** Approvals waiting on the host; the head is the one being asked. */
+  private queue: Pending[] = [];
+  private asking = false;
+  private rl: Interface | null = null;
+
+  constructor(opts: ApproverOptions) {
+    this.opts = opts;
+    this.isTTY = opts.isTTY ?? Boolean(process.stdin.isTTY);
+    this.out = opts.output ?? process.stdout;
+    this.log = opts.log ?? ((m) => console.log(m));
+  }
+
+  /** Announce the active policy once at startup. */
+  banner(): void {
+    if (this.opts.policy === "auto") return;
+    if (this.isTTY) {
+      this.log("[codehost] approval: confirm — new clients wait for your OK. Commands: list · kick <n>");
+    } else {
+      this.log(
+        "[codehost] approval: confirm, but no terminal is attached — clients can't be approved " +
+          "interactively and will be denied. Use --approve auto or --allow <label> for a daemon.",
+      );
+    }
+    if (this.opts.allow.length) this.log(`[codehost] auto-approving labels matching: ${this.opts.allow.join(", ")}`);
+  }
+
+  /** Resolve true to admit `clientId`, false to deny. Called once per offer. */
+  admit(clientId: string, label: string): Promise<boolean> {
+    if (this.opts.policy === "auto" || this.preApproved(label)) return Promise.resolve(true);
+
+    // Confirm mode but no terminal to ask at: deny safely.
+    if (!this.isTTY) {
+      this.log(`[codehost] denied "${label}" (${short(clientId)}): confirm mode needs a terminal`);
+      return Promise.resolve(false);
+    }
+
+    this.opts.notifyPending(clientId);
+    return new Promise<boolean>((resolve) => {
+      this.queue.push({ clientId, label, resolve });
+      this.pumpQueue();
+    });
+  }
+
+  /** Mark a client live once its tunnel is bridged (for the console roster). */
+  onConnected(clientId: string, label: string): void {
+    this.active.set(clientId, label);
+  }
+
+  /** Drop a client from the roster and resolve any in-flight approval as denied. */
+  onDisconnected(clientId: string): void {
+    this.active.delete(clientId);
+    const idx = this.queue.findIndex((p) => p.clientId === clientId);
+    if (idx >= 0) {
+      const [p] = this.queue.splice(idx, 1);
+      p.resolve(false);
+    }
+  }
+
+  private preApproved(label: string): boolean {
+    if (this.sessionAllow.has(label)) return true;
+    const l = label.toLowerCase();
+    return this.opts.allow.some((p) => p && l.includes(p.toLowerCase()));
+  }
+
+  // ---- interactive console ----
+
+  /** Start the readline console (no-op unless confirm + TTY). */
+  start(): void {
+    if (this.opts.policy !== "confirm" || !this.isTTY || this.rl) return;
+    this.rl = createInterface({ input: this.opts.input ?? process.stdin, output: this.out });
+    this.rl.on("line", (line) => this.onLine(line.trim()));
+  }
+
+  stop(): void {
+    this.rl?.close();
+    this.rl = null;
+  }
+
+  private pumpQueue(): void {
+    if (this.asking || this.queue.length === 0) return;
+    this.asking = true;
+    const { label, clientId } = this.queue[0];
+    this.out.write(`\n[codehost] "${label}" (${short(clientId)}) wants to connect. Approve? [y/N/a=always] `);
+  }
+
+  private onLine(line: string): void {
+    if (this.asking) {
+      this.answer(line);
+      return;
+    }
+    this.command(line);
+  }
+
+  private answer(line: string): void {
+    const pending = this.queue.shift();
+    this.asking = false;
+    if (!pending) return;
+    const a = line.toLowerCase();
+    const always = a === "a" || a === "always";
+    const yes = always || a === "y" || a === "yes";
+    if (always) this.sessionAllow.add(pending.label);
+    this.log(`[codehost] ${yes ? "approved" : "denied"} "${pending.label}" (${short(pending.clientId)})`);
+    pending.resolve(yes);
+    this.pumpQueue();
+  }
+
+  private command(line: string): void {
+    if (!line) return;
+    const [cmd, ...rest] = line.split(/\s+/);
+    const arg = rest.join(" ");
+    switch (cmd) {
+      case "l":
+      case "ls":
+      case "list":
+        this.printList();
+        break;
+      case "k":
+      case "kick":
+        this.doKick(arg);
+        break;
+      case "h":
+      case "help":
+      case "?":
+        this.log("[codehost] commands: list · kick <n|id> · help");
+        break;
+      default:
+        this.log(`[codehost] unknown command "${cmd}" — try: list · kick <n|id>`);
+    }
+  }
+
+  private printList(): void {
+    const entries = [...this.active.entries()];
+    if (entries.length === 0) {
+      this.log("[codehost] no clients connected");
+      return;
+    }
+    this.log("[codehost] connected clients:");
+    entries.forEach(([id, label], i) => this.log(`  ${i + 1}. ${label} (${short(id)})`));
+  }
+
+  private doKick(arg: string): void {
+    const id = this.resolveClient(arg);
+    if (!id) {
+      this.log(`[codehost] no connected client matches "${arg}" — see: list`);
+      return;
+    }
+    const label = this.active.get(id) ?? "client";
+    this.log(`[codehost] kicking "${label}" (${short(id)})`);
+    this.opts.kick(id);
+  }
+
+  /** Resolve a `kick` argument: 1-based index from `list`, or a peerId prefix. */
+  private resolveClient(arg: string): string | null {
+    if (!arg) return null;
+    const entries = [...this.active.keys()];
+    const n = Number(arg);
+    if (Number.isInteger(n) && n >= 1 && n <= entries.length) return entries[n - 1];
+    return entries.find((id) => id.startsWith(arg) || short(id) === arg) ?? null;
+  }
+}
+
+function short(id: string): string {
+  return id.slice(0, 8);
+}

package/src/cli/commands/dev.ts

@@ -2,6 +2,7 @@ import { hostname } from "node:os";
 import { resolve } from "node:path";
 import type { CommandModule } from "yargs";
 import type { PeerMeta } from "../../shared/signaling";
+import type { ApprovePolicy } from "../approver";
 import { TOKEN_REQUIREMENTS, validateToken } from "../../shared/token";
 import { ensureHostId } from "../config";
 import { launchServeDaemon } from "../daemonize";
@@ -21,6 +22,8 @@ interface DevArgs {
   daemon: boolean;
   standalone: boolean;
   port?: number;
+  approve: string;
+  allow: string[];
 }
 
 export const devCommand: CommandModule<{}, DevArgs> = {
@@ -63,6 +66,18 @@ export const devCommand: CommandModule<{}, DevArgs> = {
       .option("port", {
         describe: "Fixed port for the local VS Code server (default: ephemeral)",
         type: "number",
+      })
+      .option("approve", {
+        describe: "Client admission: 'auto' (anyone with the token) or 'confirm' (approve each at the terminal)",
+        type: "string",
+        choices: ["auto", "confirm"],
+        default: "auto",
+      })
+      .option("allow", {
+        describe: "Under --approve confirm, auto-approve clients whose label matches (repeatable)",
+        type: "string",
+        array: true,
+        default: [],
       }) as any,
   handler: async (argv) => {
     argv.token = argv.token.trim();
@@ -107,6 +122,8 @@ export const devCommand: CommandModule<{}, DevArgs> = {
         name: argv.name,
         port: argv.port,
         host,
+        approve: argv.approve,
+        allow: argv.allow,
       });
       if (ok) announceConnect(argv.token);
       process.exit(ok ? 0 : 1);
@@ -132,6 +149,8 @@ export const devCommand: CommandModule<{}, DevArgs> = {
       signal: argv.signal,
       meta,
       label: `serving ${dir}`,
+      approve: argv.approve as ApprovePolicy,
+      allow: argv.allow,
       launch: async (basePath) => {
         const v = await launchVscode({ dir, basePath, port: argv.port });
         return { port: v.port, stop: v.stop };

package/src/cli/commands/open.ts

@@ -0,0 +1,95 @@
+import { resolve } from "node:path";
+import type { CommandModule } from "yargs";
+import { readConfig } from "../config";
+import { repoIdentity } from "../git";
+import { GITHUB_HOST, gitUrlToPath, shareableDeepLink } from "../../shared/repo";
+import { PAGE_URL, openBrowser } from "../open-url";
+
+interface OpenArgs {
+  target?: string;
+  token?: string;
+  anon: boolean;
+  page: string;
+  print: boolean;
+}
+
+export const openCommand: CommandModule<{}, OpenArgs> = {
+  command: "open [target]",
+  describe: "Open a codehost deep link in the browser (defaults to the repo in the current directory)",
+  builder: (y) =>
+    y
+      .positional("target", {
+        describe:
+          "What to open: a repo (owner/repo, a git URL, or gh/git/host/dev path) or a full URL. Omit to use the git repo in the current directory.",
+        type: "string",
+      })
+      .option("token", {
+        alias: "t",
+        describe: "Token to embed for auto-connect (defaults to the saved room token)",
+        type: "string",
+      })
+      .option("anon", {
+        describe: "Open without embedding a token",
+        type: "boolean",
+        default: false,
+      })
+      .option("page", { describe: "Page URL to open against", type: "string", default: PAGE_URL })
+      .option("print", {
+        describe: "Print the URL instead of opening a browser",
+        type: "boolean",
+        default: false,
+      }) as any,
+  handler: async (argv) => {
+    const url = buildUrl(argv);
+    console.log(`[codehost] ${url}`);
+    if (argv.print) return;
+    openBrowser(url);
+  },
+};
+
+/**
+ * Resolve the URL to open. A full non-git URL is used verbatim; otherwise we
+ * build a codehost deep-link path (reusing the same helpers the page resolves
+ * with) and, unless `--anon`, append the room token in the `#t=<token>` fragment
+ * so the page auto-connects (the fragment stays in the browser). With no target
+ * we derive the path from the git repo in the current directory.
+ */
+function buildUrl(argv: OpenArgs): string {
+  const target = argv.target?.trim();
+
+  // A full non-repo URL is opened as-is. (A repo URL like
+  // https://github.com/o/r is turned into a deep link below.)
+  if (target && /^https?:\/\//i.test(target) && !gitUrlToPath(target)) return target;
+
+  const path = target ? pathFromTarget(target) : pathFromCwd();
+  const base = `${argv.page.replace(/\/+$/, "")}${path}`;
+
+  const token = argv.anon ? undefined : (argv.token?.trim() || readConfig().token);
+  return token ? `${base}#t=${encodeURIComponent(token)}` : base;
+}
+
+/** Map a positional target to a deep-link path (always starts with `/`). */
+function pathFromTarget(target: string): string {
+  const clean = target.replace(/^\/+/, "");
+  // Already a known deep-link shape — pass through.
+  if (/^(gh|git|host|dev)\//.test(clean)) return `/${clean}`;
+  // A git URL / scp / host/owner/repo (dotted host), incl. /tree/<branch>.
+  const fromUrl = gitUrlToPath(target);
+  if (fromUrl) return fromUrl;
+  // Bare `owner/repo[/tree/branch]` -> GitHub deep link.
+  const m = clean.match(/^([^/]+)\/([^/]+)(?:\/tree\/(.+))?$/);
+  if (m) return shareableDeepLink({ repo: `${GITHUB_HOST}/${m[1]}/${m[2]}`, branch: m[3] }) ?? "/";
+  // Anything else (e.g. a folder path) -> legacy host-agnostic folder mount.
+  return `/dev/${clean}`;
+}
+
+/** Derive a deep-link path from the git repo in the current directory. */
+function pathFromCwd(): string {
+  const { repo, branch } = repoIdentity(resolve(process.cwd()));
+  const path = repo ? shareableDeepLink({ repo, branch }) : null;
+  if (!path) {
+    console.error("[codehost] no git repo found here; opening the codehost home page");
+    return "/";
+  }
+  return path;
+}

package/src/cli/commands/serve.ts

@@ -3,6 +3,7 @@ import { homedir, hostname } from "node:os";
 import { join, resolve } from "node:path";
 import type { CommandModule } from "yargs";
 import type { PeerMeta } from "../../shared/signaling";
+import type { ApprovePolicy } from "../approver";
 import { DEFAULT_LAYOUT, GITHUB_HOST, toPosixPath } from "../../shared/repo";
 import { TOKEN_REQUIREMENTS, validateToken } from "../../shared/token";
 import { defaultRoot, ensureHostId } from "../config";
@@ -66,6 +67,8 @@ interface ServeArgs {
   signal: string;
   daemon: boolean;
   port?: number;
+  approve: string;
+  allow: string[];
 }
 
 export const serveCommand: CommandModule<{}, ServeArgs> = {
@@ -102,6 +105,18 @@ export const serveCommand: CommandModule<{}, ServeArgs> = {
       .option("port", {
         describe: "Fixed port for the local VS Code server (default: ephemeral)",
         type: "number",
+      })
+      .option("approve", {
+        describe: "Client admission: 'auto' (anyone with the token) or 'confirm' (approve each at the terminal)",
+        type: "string",
+        choices: ["auto", "confirm"],
+        default: "auto",
+      })
+      .option("allow", {
+        describe: "Under --approve confirm, auto-approve clients whose label matches (repeatable)",
+        type: "string",
+        array: true,
+        default: [],
       }) as any,
   handler: async (argv) => {
     argv.token = argv.token.trim();
@@ -135,6 +150,8 @@ export const serveCommand: CommandModule<{}, ServeArgs> = {
         name: argv.name,
         port: argv.port,
         host,
+        approve: argv.approve,
+        allow: argv.allow,
       });
       if (ok) announceConnect(argv.token);
       process.exit(ok ? 0 : 1);
@@ -208,6 +225,8 @@ export const serveCommand: CommandModule<{}, ServeArgs> = {
       metaRefreshMs: 3_000,
       watchFiles: [workspacesFile()],
       plugins,
+      approve: argv.approve as ApprovePolicy,
+      allow: argv.allow,
       label: `serving workspace root ${dir}`,
       provision: { homeDir: dir, host: GITHUB_HOST },
       launch: async (basePath) => {

package/src/cli/commands/setup.ts

@@ -19,6 +19,8 @@ interface SetupArgs {
   name?: string;
   signal: string;
   port?: number;
+  approve: string;
+  allow: string[];
 }
 
 export const setupCommand: CommandModule<{}, SetupArgs> = {
@@ -42,7 +44,19 @@ export const setupCommand: CommandModule<{}, SetupArgs> = {
       })
       .option("name", { describe: "Display name for this server (defaults to hostname)", type: "string" })
       .option("signal", { describe: "Signaling server URL", type: "string", default: DEFAULT_SIGNAL_URL })
-      .option("port", { describe: "Fixed port for the local VS Code server", type: "number" }) as any,
+      .option("port", { describe: "Fixed port for the local VS Code server", type: "number" })
+      .option("approve", {
+        describe: "Client admission: 'auto' (anyone with the token) or 'confirm' (approve via --allow; the daemon has no terminal)",
+        type: "string",
+        choices: ["auto", "confirm"],
+        default: "auto",
+      })
+      .option("allow", {
+        describe: "Under --approve confirm, auto-approve clients whose label matches (repeatable)",
+        type: "string",
+        array: true,
+        default: [],
+      }) as any,
   handler: async (argv) => {
     // Explicit dir > a git cwd (serve THIS repo) > remembered root > ~/ws —
     // so a bare `codehost setup` (e.g. from the installer) lands on a sane
@@ -99,6 +113,8 @@ export const setupCommand: CommandModule<{}, SetupArgs> = {
       name: argv.name,
       port: argv.port,
       host,
+      approve: argv.approve,
+      allow: argv.allow,
     });
     if (!ok) process.exit(1);
 

package/src/cli/daemonize.ts

@@ -20,6 +20,10 @@ export interface ServeDaemonOptions {
   port?: number;
   /** Hostname, used as a label fallback. */
   host: string;
+  /** Client admission policy ("auto" | "confirm"); propagated to the daemon. */
+  approve?: string;
+  /** Pre-approved client label patterns, propagated to the daemon. */
+  allow?: string[];
 }
 
 export interface ServeDaemonResult {
@@ -79,6 +83,10 @@ function buildForegroundArgv(opts: ServeDaemonOptions): string[] {
   // never collapse into register-with-the-host-daemon-and-exit (oxmgr would
   // see an instant exit and thrash).
   if ((opts.command ?? "serve") === "dev") parts.push("--standalone");
+  // A backgrounded daemon has no terminal, so "confirm" can only admit clients
+  // that match an --allow pattern; we still propagate it so that works.
+  if (opts.approve && opts.approve !== "auto") parts.push("--approve", opts.approve);
+  for (const pat of opts.allow ?? []) parts.push("--allow", pat);
   return parts;
 }
 

package/src/cli/index.ts

@@ -6,6 +6,7 @@ import { initCommand } from "./commands/init";
 import { serveCommand } from "./commands/serve";
 import { devCommand } from "./commands/dev";
 import { exposeCommand } from "./commands/expose";
+import { openCommand } from "./commands/open";
 import { listCommand } from "./commands/list";
 import { stopCommand } from "./commands/stop";
 import { updateCommand } from "./commands/update";
@@ -19,6 +20,7 @@ yargs(hideBin(process.argv))
   .command(serveCommand)
   .command(devCommand)
   .command(exposeCommand)
+  .command(openCommand)
   .command(listCommand)
   .command(stopCommand)
   .command(updateCommand)

package/src/cli/rtc-daemon.ts

@@ -69,27 +69,39 @@ function nativeLoadError(cause: unknown): Error {
 }
 
 export interface RtcDaemonOptions {
-  /** Relay a signal to a viewer peer via the signaling channel. */
+  /** Relay a signal to a client peer via the signaling channel. */
   sendSignal: (to: string, data: RtcSignal) => void;
-  /** Called when a viewer's data channel opens. */
-  onChannel: (viewerId: string, channel: DataChannel) => void;
+  /** Called when a client's data channel opens. */
+  onChannel: (clientId: string, channel: DataChannel) => void;
+  /**
+   * Admission gate. Resolve true to answer the client's offer, false to deny.
+   * Until it resolves we buffer the answer + local ICE so a pending client never
+   * completes a connection. Omitted → admit everyone (default).
+   */
+  admit?: (clientId: string) => Promise<boolean>;
+  /** Called once when a client's connection is torn down (drop / deny / kick). */
+  onClose?: (clientId: string) => void;
 }
 
-interface ViewerConn {
+interface ClientConn {
   pc: PeerConnectionT;
+  /** True once the host has admitted this client; gates outbound answer/ICE. */
+  admitted: boolean;
+  /** Outbound signals withheld while admission is pending. */
+  buffered: RtcSignal[];
 }
 
 /**
- * Daemon-side WebRTC manager. The browser (viewer) is the offerer; for each
- * viewer that sends an offer we create an answering PeerConnection and surface
+ * Daemon-side WebRTC manager. The browser (client) is the offerer; for each
+ * client that sends an offer we create an answering PeerConnection and surface
  * its data channel. STUN-only.
  */
 export class RtcDaemon {
-  private viewers = new Map<string, ViewerConn>();
+  private clients = new Map<string, ClientConn>();
 
   constructor(private opts: RtcDaemonOptions) {}
 
-  /** Route an inbound signaling payload from a viewer. */
+  /** Route an inbound signaling payload from a client. */
   handleSignal(from: string, data: unknown): void {
     const sig = data as RtcSignal;
     if (!sig || typeof sig !== "object") return;
@@ -97,7 +109,7 @@ export class RtcDaemon {
     if (sig.kind === "offer") {
       this.acceptOffer(from, sig.sdp);
     } else if (sig.kind === "candidate") {
-      const conn = this.viewers.get(from);
+      const conn = this.clients.get(from);
       if (conn) {
         try {
           conn.pc.addRemoteCandidate(sig.candidate, sig.mid);
@@ -108,60 +120,88 @@ export class RtcDaemon {
     }
   }
 
-  private acceptOffer(viewerId: string, sdp: string): void {
-    // Replace any prior connection for this viewer (e.g. page reload).
-    this.dropViewer(viewerId);
+  /** Close a specific client's connection (host kick). */
+  close(clientId: string): void {
+    this.dropClient(clientId);
+  }
+
+  private acceptOffer(clientId: string, sdp: string): void {
+    // Replace any prior connection for this client (e.g. page reload).
+    this.dropClient(clientId);
 
-    const pc = new ndc.PeerConnection(`viewer-${viewerId.slice(0, 8)}`, {
+    const pc = new ndc.PeerConnection(`client-${clientId.slice(0, 8)}`, {
       iceServers: ICE_SERVERS,
     });
-    this.viewers.set(viewerId, { pc });
+    const conn: ClientConn = { pc, admitted: false, buffered: [] };
+    this.clients.set(clientId, conn);
+
+    // Withhold the answer + our ICE until the host admits this client; we still
+    // accept the offer + remote candidates so ICE is ready to flush instantly.
+    const emit = (sig: RtcSignal) => {
+      if (conn.admitted) this.opts.sendSignal(clientId, sig);
+      else conn.buffered.push(sig);
+    };
 
     pc.onLocalDescription((localSdp, type) => {
-      this.opts.sendSignal(viewerId, {
-        kind: type as "answer",
-        type: type as "answer",
-        sdp: localSdp,
-      });
+      emit({ kind: type as "answer", type: type as "answer", sdp: localSdp });
     });
 
     pc.onLocalCandidate((candidate, mid) => {
-      this.opts.sendSignal(viewerId, { kind: "candidate", candidate, mid });
+      emit({ kind: "candidate", candidate, mid });
     });
 
     pc.onStateChange((state) => {
-      console.log(`[rtc] ${viewerId.slice(0, 8)} state: ${state}`);
+      console.log(`[rtc] ${clientId.slice(0, 8)} state: ${state}`);
       if (state === "disconnected" || state === "failed" || state === "closed") {
-        this.dropViewer(viewerId);
+        this.dropClient(clientId);
       }
     });
 
     pc.onDataChannel((dc) => {
-      console.log(`[rtc] ${viewerId.slice(0, 8)} channel "${dc.getLabel()}" open`);
-      this.opts.onChannel(viewerId, dc);
+      console.log(`[rtc] ${clientId.slice(0, 8)} channel "${dc.getLabel()}" open`);
+      this.opts.onChannel(clientId, dc);
     });
 
     try {
       pc.setRemoteDescription(sdp, "offer");
     } catch (err) {
-      console.error(`[rtc] setRemoteDescription failed for ${viewerId.slice(0, 8)}:`, err);
-      this.dropViewer(viewerId);
+      console.error(`[rtc] setRemoteDescription failed for ${clientId.slice(0, 8)}:`, err);
+      this.dropClient(clientId);
+      return;
     }
+
+    const admit = this.opts.admit ? this.opts.admit(clientId) : Promise.resolve(true);
+    admit
+      .then((ok) => {
+        // The client may have reloaded/dropped while we waited — only act if
+        // this exact connection is still current.
+        if (this.clients.get(clientId) !== conn) return;
+        if (!ok) {
+          this.opts.sendSignal(clientId, { kind: "denied" });
+          this.dropClient(clientId);
+          return;
+        }
+        conn.admitted = true;
+        for (const sig of conn.buffered) this.opts.sendSignal(clientId, sig);
+        conn.buffered = [];
+      })
+      .catch(() => this.dropClient(clientId));
   }
 
-  private dropViewer(viewerId: string): void {
-    const conn = this.viewers.get(viewerId);
+  private dropClient(clientId: string): void {
+    const conn = this.clients.get(clientId);
     if (!conn) return;
-    this.viewers.delete(viewerId);
+    this.clients.delete(clientId);
     try {
       conn.pc.close();
     } catch {
       // ignore
     }
+    this.opts.onClose?.(clientId);
   }
 
   closeAll(): void {
-    for (const id of [...this.viewers.keys()]) this.dropViewer(id);
+    for (const id of [...this.clients.keys()]) this.dropClient(id);
     try {
       ndc.cleanup();
     } catch {

package/src/cli/run-server.ts

@@ -1,7 +1,8 @@
 import { watch } from "node:fs";
 import { basename, dirname } from "node:path";
-import { type PeerMeta, newPeerId } from "../shared/signaling";
+import { type PeerMeta, isClientRole, newPeerId } from "../shared/signaling";
 import { SignalingClient } from "../shared/signaling-client";
+import { Approver, type ApprovePolicy } from "./approver";
 import { RtcDaemon } from "./rtc-daemon";
 import { type LocalRequest, Tunnel } from "./tunnel";
 import { handleProvision, isProvisionPath, type ProvisionDeps } from "./provision-server";
@@ -46,6 +47,10 @@ export interface RunServerOptions {
    *  host workspace registry). Watched via their parent directory so the file
    *  may not exist yet. */
   watchFiles?: string[];
+  /** Client admission policy (default "auto"). */
+  approve?: ApprovePolicy;
+  /** Label substrings auto-approved under the "confirm" policy. */
+  allow?: string[];
 }
 
 /** How often a daemon re-enumerates its workspaces (manual clones show up). */
@@ -53,7 +58,7 @@ const META_REFRESH_MS = 60_000;
 
 /**
  * Foreground server loop shared by `serve`, `dev`, and `expose`: register in the
- * signaling room with the given meta and bridge each viewer's data channel to a
+ * signaling room with the given meta and bridge each client's data channel to a
  * local server (VS Code for serve/dev, an arbitrary port for expose). Never
  * resolves.
  */
@@ -68,6 +73,23 @@ export async function runServer(opts: RunServerOptions): Promise<never> {
   const target = await opts.launch(basePath);
 
   let rtc: RtcDaemon;
+
+  // Track client labels from the room roster so approval prompts and the bridge
+  // log name *who* connected (a leaked-token tell), not just an opaque peerId.
+  const clientNames = new Map<string, string>();
+  const labelFor = (clientId: string) => clientNames.get(clientId) ?? "unknown client";
+
+  const approver = new Approver({
+    policy: opts.approve ?? "auto",
+    allow: opts.allow ?? [],
+    kick: (clientId) => {
+      // Tell the client why it's being cut off, then tear down the connection.
+      client.sendSignal(clientId, { kind: "denied" });
+      rtc.close(clientId);
+    },
+    notifyPending: (clientId) => client.sendSignal(clientId, { kind: "pending" }),
+  });
+
   const client = new SignalingClient({
     url: opts.signal,
     token: opts.token,
@@ -82,6 +104,12 @@ export async function runServer(opts: RunServerOptions): Promise<never> {
       const detail = info ? ` (code ${info.code}${info.reason ? ` "${info.reason}"` : ""}, up ${info.ms}ms)` : "";
       console.log(`[codehost] disconnected from signaling${detail}, reconnecting…`);
     },
+    onPeers: (peers) => {
+      clientNames.clear();
+      for (const p of peers) {
+        if (isClientRole(p.role) && p.meta?.name) clientNames.set(p.peerId, p.meta.name);
+      }
+    },
     onSignal: (from, data) => rtc.handleSignal(from, data),
   });
 
@@ -107,14 +135,30 @@ export async function runServer(opts: RunServerOptions): Promise<never> {
         }
       : undefined;
 
+  // A client opens two data channels (interactive + bulk), so onChannel fires
+  // twice per connection — log/register "connected" only on the first.
+  const bridged = new Set<string>();
   rtc = new RtcDaemon({
     sendSignal: (to, data) => client.sendSignal(to, data),
-    onChannel: (viewerId, channel) => {
-      console.log(`[codehost] viewer ${viewerId.slice(0, 8)} connected; bridging to :${target.port}`);
+    admit: (clientId) => approver.admit(clientId, labelFor(clientId)),
+    onChannel: (clientId, channel) => {
+      if (!bridged.has(clientId)) {
+        bridged.add(clientId);
+        const who = labelFor(clientId);
+        console.log(`[codehost] ${who} (${clientId.slice(0, 8)}) connected; bridging to :${target.port}`);
+        approver.onConnected(clientId, who);
+      }
       new Tunnel(channel, target.port, target.stripBasePath, onLocal);
     },
+    onClose: (clientId) => {
+      bridged.delete(clientId);
+      approver.onDisconnected(clientId);
+    },
   });
 
+  approver.banner();
+  approver.start();
+
   client.connect();
   if (opts.refreshMeta) {
     setInterval(refreshMeta, opts.metaRefreshMs ?? META_REFRESH_MS);
@@ -144,6 +188,7 @@ export async function runServer(opts: RunServerOptions): Promise<never> {
 
   const shutdown = () => {
     console.log("\n[codehost] shutting down");
+    approver.stop();
     rtc.closeAll();
     client.close();
     target.stop?.();

package/src/shared/repo.ts

@@ -219,7 +219,7 @@ export function resolveRepoTarget(
     .sort(
       (a, b) =>
         Number(prefers(b.meta, prefer)) - Number(prefers(a.meta, prefer)) ||
-        (b.meta?.cwd.length ?? 0) - (a.meta?.cwd.length ?? 0),
+        (b.meta?.cwd?.length ?? 0) - (a.meta?.cwd?.length ?? 0),
     );
 
   // A root that *enumerated* a matching checkout knows it exists on disk —
@@ -233,7 +233,7 @@ export function resolveRepoTarget(
   }
 
   const root = roots[0];
-  if (root && root.meta) {
+  if (root && root.meta?.cwd) {
     const folder = `${trimSlash(root.meta.cwd)}/${fillLayout(root.meta.layout || DEFAULT_LAYOUT, target)}`;
     return { peerId: root.peerId, folder };
   }
@@ -250,7 +250,7 @@ export function resolveRepoTarget(
 export function resolveDevTarget(servers: PeerInfo[], target: DevTarget): Resolution | null {
   const want = stripEnds(target.path);
   const hostOk = (meta: PeerMeta) => !target.host || meta.host === target.host;
-  const hit = servers.find((s) => s.meta && stripEnds(s.meta.cwd) === want && hostOk(s.meta));
+  const hit = servers.find((s) => s.meta?.cwd && stripEnds(s.meta.cwd) === want && hostOk(s.meta));
   if (hit) return { peerId: hit.peerId };
   for (const s of servers) {
     if (!s.meta || !hostOk(s.meta)) continue;

package/src/shared/rtc.ts

@@ -20,7 +20,19 @@ export interface CandidateSignal {
   mid: string;
 }
 
-export type RtcSignal = SdpSignal | CandidateSignal;
+/**
+ * Host-side admission control, relayed opaquely like any other signal. The
+ * daemon sends "pending" while a client awaits the host's approval and "denied"
+ * if the host rejects (or kicks) it — so the client can show why it's waiting or
+ * was cut off, instead of a silent hang. Approval needs no signal: the daemon
+ * just answers the offer. Old daemons never send these; old clients ignore an
+ * unknown `kind`, so this is backward compatible both ways.
+ */
+export interface ControlSignal {
+  kind: "pending" | "denied";
+}
+
+export type RtcSignal = SdpSignal | CandidateSignal | ControlSignal;
 
 /** Label used for the control/tunnel data channel. */
 export const CHANNEL_LABEL = "codehost";

package/src/shared/signaling-client.ts

@@ -14,7 +14,7 @@ export interface SignalingClientOptions {
   role: Role;
   meta?: PeerMeta;
   peerId?: string;
-  onPeers?: (peers: PeerInfo[]) => void;
+  onPeers?: (peers: PeerInfo[], now?: number) => void;
   onSignal?: (from: string, data: unknown) => void;
   onOpen?: () => void;
   /** Called on every socket close. `info` carries the WebSocket close code,
@@ -192,7 +192,7 @@ export class SignalingClient {
       } catch {
         return;
       }
-      if (msg.type === "peers") this.opts.onPeers?.(msg.peers);
+      if (msg.type === "peers") this.opts.onPeers?.(msg.peers, msg.now);
       else if (msg.type === "signal") this.opts.onSignal?.(msg.from, msg.data);
     };
 

package/src/shared/signaling.ts

@@ -2,7 +2,26 @@
 // Worker / Durable Object. A "room" is keyed by the user's token; every member
 // of a room can see the others and exchange WebRTC SDP/ICE via the relay.
 
-export type Role = "server" | "viewer";
+/**
+ * Room roles. A connecting browser is a "client"; "viewer" is the legacy wire
+ * value for the same role, kept so older daemons/pages still interop (the term
+ * understated the access — a connected client gets the host's full VS Code:
+ * terminal + file write). Backward-compat plan ("accept both, emit old"):
+ * receivers treat client and viewer alike via `isClientRole`, and new code
+ * still EMITS the legacy `CLIENT_WIRE_ROLE` ("viewer") until daemons have rolled
+ * forward; a later release flips the emit to "client".
+ */
+export type Role = "server" | "client" | "viewer";
+
+/** The connecting-role value new code emits. Still the legacy "viewer" during
+ *  the accept-both transition; flip to "client" once daemons recognize it. */
+export const CLIENT_WIRE_ROLE: Role = "viewer";
+
+/** True for either spelling of the connecting (browser) role. Use everywhere a
+ *  receiver decides "is this peer a client" so both old and new peers match. */
+export function isClientRole(role: Role): boolean {
+  return role === "client" || role === "viewer";
+}
 
 /** One live agent CLI session on the daemon's machine (sourced from agent-yes's
  *  registry) — advertised so clients can see which agents run where. Interact
@@ -36,14 +55,19 @@ export interface WorkspaceInfo {
   config?: boolean;
 }
 
-/** Metadata a `codehost serve`/`dev` daemon advertises about itself. */
+/**
+ * Metadata a room member advertises. Servers (`codehost serve`/`dev`) fill the
+ * workspace fields; a client (the codehost.dev page) sends just `name` as its
+ * roster label and leaves the server-only fields unset — hence everything but
+ * `name` is optional.
+ */
 export interface PeerMeta {
-  /** Human label, defaults to hostname. */
+  /** Human label. Server: defaults to hostname. Client: a browser/OS label. */
   name: string;
-  /** Directory the VS Code instance is serving (the repo dir, or the root). */
-  cwd: string;
-  /** Hostname of the machine running the daemon. */
-  host: string;
+  /** Server only: directory the VS Code instance is serving (repo dir or root). */
+  cwd?: string;
+  /** Server only: hostname of the machine running the daemon. */
+  host?: string;
   /**
    * Stable machine identity (UUID persisted in ~/.codehost/config.json). All
    * daemons on one machine share it, unlike the per-process peerId, so clients
@@ -84,6 +108,10 @@ export interface PeerInfo {
   peerId: string;
   role: Role;
   meta: PeerMeta | null;
+  /** Worker-stamped join time (ms). Compare against `PeersMessage.now`, which
+   *  is on the same clock, for a roster "connected N ago" without clock skew.
+   *  Absent from older workers. */
+  since?: number;
 }
 
 // ---- Client -> Server ----
@@ -133,6 +161,10 @@ export interface WelcomeMessage {
 export interface PeersMessage {
   type: "peers";
   peers: PeerInfo[];
+  /** Worker wall-clock (ms) at send time — same clock as `PeerInfo.since`, so a
+   *  client renders relative join ages without trusting its own clock. Absent
+   *  from older workers. */
+  now?: number;
 }
 
 /** A signal relayed from another peer. */

package/src/web/discovery.tsx

@@ -1,5 +1,5 @@
 import { useEffect, useRef, useState } from "react";
-import type { AgentInfo, PeerInfo, WorkspaceInfo } from "../shared/signaling";
+import { type AgentInfo, type PeerInfo, type WorkspaceInfo, CLIENT_WIRE_ROLE, isClientRole } from "../shared/signaling";
 import { TOKEN_REQUIREMENTS, validateToken } from "../shared/token";
 import { SignalingClient } from "../shared/signaling-client";
 import type { RtcSignal } from "../shared/rtc";
@@ -26,11 +26,43 @@ import { deriveTags, matchQuery, shortRoomLabel, tagKey } from "../shared/tags";
 
 const TOKEN_KEY = "codehost.token";
 
-type ConnState = "idle" | "connecting" | "provisioning" | "connected" | "failed";
+type ConnState = "idle" | "connecting" | "pending" | "provisioning" | "connected" | "failed" | "denied";
 
 /** A server discovered in a specific room (its token routes the signaling). */
 type RoomedServer = { server: PeerInfo; room: string };
 
+/**
+ * A short "Browser · OS" label this page advertises in the room roster, so the
+ * host and other clients can tell devices apart (and spot a stranger that
+ * shouldn't have the token). Best-effort UA sniff; falls back to "browser".
+ */
+function clientLabel(): string {
+  const ua = navigator.userAgent;
+  const browser = /Edg\//.test(ua) ? "Edge"
+    : /OPR\//.test(ua) ? "Opera"
+    : /Firefox\//.test(ua) ? "Firefox"
+    : /Chrome\//.test(ua) ? "Chrome"
+    : /Safari\//.test(ua) ? "Safari"
+    : "browser";
+  const os = /Mac OS X/.test(ua) ? "macOS"
+    : /Windows/.test(ua) ? "Windows"
+    : /Android/.test(ua) ? "Android"
+    : /(iPhone|iPad|iPod)/.test(ua) ? "iOS"
+    : /Linux/.test(ua) ? "Linux"
+    : "";
+  return os ? `${browser} · ${os}` : browser;
+}
+
+/** Coarse "Ns/Nm/Nh" from a worker-clock join time and the room's clock. */
+function relTime(since?: number, now?: number): string | null {
+  if (!since || !now) return null;
+  const secs = Math.max(0, Math.round((now - since) / 1000));
+  if (secs < 60) return `${secs}s`;
+  const mins = Math.round(secs / 60);
+  if (mins < 60) return `${mins}m`;
+  return `${Math.round(mins / 60)}h`;
+}
+
 /**
  * Read a room token handed in the URL fragment as `#t=<token>` (what the CLI
  * prints/opens after `setup`/`serve`). The page is static, so the fragment
@@ -98,7 +130,7 @@ function findRoomForDeepLink(dl: DeepLink, tokens: string[], timeoutMs = 6000):
       const client = new SignalingClient({
         url: getSignalUrl(),
         token: tok,
-        role: "viewer",
+        role: CLIENT_WIRE_ROLE,
         onPeers: (peers) => {
           const servers = peers.filter((p) => p.role === "server");
           const res =
@@ -124,7 +156,9 @@ function findRoomForDeepLink(dl: DeepLink, tokens: string[], timeoutMs = 6000):
  */
 function RoomClient(props: {
   token: string;
+  label: string;
   onPeers: (peers: PeerInfo[]) => void;
+  onRoster: (clients: PeerInfo[], now?: number) => void;
   onStatus: (open: boolean) => void;
   onSignal: (from: string, data: unknown) => void;
   registerSender: (send: ((to: string, data: unknown) => void) | null) => void;
@@ -133,15 +167,23 @@ function RoomClient(props: {
   // not on every parent re-render (which would needlessly churn the WebSocket).
   const cb = useRef(props);
   cb.current = props;
-  const { token } = props;
+  const { token, label } = props;
   useEffect(() => {
     const client = new SignalingClient({
       url: getSignalUrl(),
       token,
-      role: "viewer",
+      // Connecting role. CLIENT_WIRE_ROLE is still the legacy "viewer" during the
+      // accept-both transition; servers match it via isClientRole either way.
+      role: CLIENT_WIRE_ROLE,
+      // Advertise a label so this tab shows up named in the room roster.
+      meta: { name: label },
       onOpen: () => cb.current.onStatus(true),
       onClose: () => cb.current.onStatus(false),
-      onPeers: (peers) => cb.current.onPeers(peers.filter((p) => p.role === "server")),
+      onPeers: (peers, now) => {
+        cb.current.onPeers(peers.filter((p) => p.role === "server"));
+        // Other clients in the room (not us) — surfaced as the roster.
+        cb.current.onRoster(peers.filter((p) => isClientRole(p.role) && p.peerId !== client.peerId), now);
+      },
       onSignal: (from, data) => cb.current.onSignal(from, data),
     });
     cb.current.registerSender((to, data) => client.sendSignal(to, data));
@@ -170,6 +212,12 @@ export function Discovery() {
   // Per-room discovery state, merged into one workspace list below.
   const [serversByRoom, setServersByRoom] = useState<Record<string, PeerInfo[]>>({});
   const [roomOpen, setRoomOpen] = useState<Record<string, boolean>>({});
+  // Other clients (browsers) per room, for the "In this room" roster, plus the
+  // worker clock from the latest peers message for relative join times.
+  const [clientsByRoom, setClientsByRoom] = useState<Record<string, PeerInfo[]>>({});
+  const [roomNow, setRoomNow] = useState<number | undefined>(undefined);
+  // This tab's roster label, computed once.
+  const labelRef = useRef(clientLabel());
 
   // Token input = "join another room": validated, then appended to the set.
   // Never pre-filled with a saved token — it's a bearer secret.
@@ -204,6 +252,12 @@ export function Discovery() {
   const activePeerRef = useRef<string | null>(null);
   const activeRoomRef = useRef<string | null>(null);
   const sendersRef = useRef<Map<string, (to: string, data: unknown) => void>>(new Map());
+  // Admission control: the host can hold ("pending") or reject ("denied") us.
+  // `deniedRef` stops a trailing pc state change from overwriting the denied UI;
+  // the timer/reject refs let a control signal extend or abort the dial attempt.
+  const deniedRef = useRef(false);
+  const dialTimerRef = useRef<ReturnType<typeof setTimeout> | null>(null);
+  const dialRejectRef = useRef<((e: Error) => void) | null>(null);
   // Whether the live connection pushed a history entry (so Disconnect/Back can
   // pop it back to the list).
   const pushedRef = useRef(false);
@@ -387,6 +441,7 @@ export function Discovery() {
     const send = sendersRef.current.get(room);
     if (!send) return;
     dialingRef.current = true; // synchronous gate against concurrent triggers
+    deniedRef.current = false;
     let didPush = false;
     try {
       // Clear any prior connection's broker state first: after an RTC drop the
@@ -435,23 +490,25 @@ export function Discovery() {
           const rtc = new RtcClient({
             sendSignal: (data: RtcSignal) => send(server.peerId, data),
             onState: (state) => {
-              if (state === "failed" || state === "disconnected") setConnState("failed");
+              if ((state === "failed" || state === "disconnected") && !deniedRef.current) setConnState("failed");
             },
             onOpen: (channel) => {
-              clearTimeout(timer);
+              if (dialTimerRef.current) clearTimeout(dialTimerRef.current);
               resolve({ channel, bulk: rtc.bulkChannel });
             },
             onClose: () => setConnState((s) => (s === "connected" ? "idle" : s)),
           });
           rtcRef.current = rtc;
+          dialRejectRef.current = reject;
           // Don't hang forever dialing a peer that never answers (e.g. a stale
-          // server still listed in the room): fail the attempt after 15s.
-          const timer = setTimeout(() => {
+          // server still listed in the room): fail the attempt after 15s. A
+          // "pending" admission signal swaps this for a longer approval window.
+          dialTimerRef.current = setTimeout(() => {
             rtc.close();
             reject(new Error("connection timed out"));
           }, 15000);
           rtc.start().catch((err) => {
-            clearTimeout(timer);
+            if (dialTimerRef.current) clearTimeout(dialTimerRef.current);
             reject(err);
           });
         });
@@ -495,7 +552,7 @@ export function Discovery() {
       setResolving(null);
       recordConnect(server, room, openFolder);
     } catch {
-      setConnState("failed");
+      setConnState(deniedRef.current ? "denied" : "failed");
       // Undo the optimistic history entry we pushed. revertingRef makes the
       // resulting popstate a no-op so the "failed" card stays on the list.
       if (didPush) {
@@ -717,6 +774,12 @@ export function Discovery() {
   const onlineRooms = tokens.filter((t) => roomOpen[t]).length;
   const activeServer = allServers.find((x) => x.server.peerId === activePeerId)?.server;
 
+  // Other clients (browsers) across all joined rooms, deduped by peerId — the
+  // "In this room" roster, so you can spot a device that shouldn't hold a token.
+  const otherClients = Object.values(clientsByRoom)
+    .flat()
+    .filter((c, i, all) => all.findIndex((x) => x.peerId === c.peerId) === i);
+
   // Annotate each server with its mnemonic fake-tags (incl. its room label), then
   // filter. The room token is hashed to a short label — never rendered raw.
   const tagged = allServers.map(({ server: s, room }) => ({
@@ -764,10 +827,39 @@ export function Discovery() {
     <RoomClient
       key={t}
       token={t}
+      label={labelRef.current}
       onPeers={(peers) => setServersByRoom((m) => ({ ...m, [t]: peers }))}
+      onRoster={(clients, now) => {
+        setClientsByRoom((m) => ({ ...m, [t]: clients }));
+        if (now) setRoomNow(now);
+      }}
       onStatus={(open) => setRoomOpen((m) => ({ ...m, [t]: open }))}
       onSignal={(from, data) => {
-        if (from === activePeerRef.current) void rtcRef.current?.handleSignal(data);
+        if (from !== activePeerRef.current) return;
+        const kind = (data as { kind?: string } | null)?.kind;
+        if (kind === "pending") {
+          // Host is reviewing us — show "waiting" and stop the short dial timer
+          // from failing the attempt while a human decides.
+          setConnState("pending");
+          if (dialTimerRef.current) clearTimeout(dialTimerRef.current);
+          dialTimerRef.current = setTimeout(() => {
+            rtcRef.current?.close();
+            dialRejectRef.current?.(new Error("approval timed out"));
+          }, 120000);
+          return;
+        }
+        if (kind === "denied") {
+          // Denied while dialing, or kicked after connecting — set state directly
+          // so it covers both (the dial promise may already be settled).
+          deniedRef.current = true;
+          if (dialTimerRef.current) clearTimeout(dialTimerRef.current);
+          rtcRef.current?.close();
+          setIframeSrc(null);
+          setConnState("denied");
+          dialRejectRef.current?.(new Error("host denied the connection"));
+          return;
+        }
+        void rtcRef.current?.handleSignal(data);
       }}
       registerSender={(send) => {
         if (send) sendersRef.current.set(t, send);
@@ -1078,18 +1170,20 @@ export function Discovery() {
                           )}
                           <div style={styles.idLine}>peer {s.peerId.slice(0, 8)}</div>
                           {isActive && (
-                            <div style={styles.echo}>
+                            <div style={connState === "denied" ? styles.echoBad : styles.echo}>
                               {connState === "connecting" && "negotiating WebRTC…"}
+                              {connState === "pending" && "waiting for the host to approve you…"}
                               {connState === "failed" && "connection failed"}
+                              {connState === "denied" && "the host denied this connection"}
                             </div>
                           )}
                         </div>
                         <button
                           style={styles.connectBtn}
                           onClick={() => connectTo(s, room)}
-                          disabled={isActive && connState === "connecting"}
+                          disabled={isActive && (connState === "connecting" || connState === "pending")}
                         >
-                          {isActive && connState === "connecting" ? "…" : "Connect"}
+                          {isActive && (connState === "connecting" || connState === "pending") ? "…" : "Connect"}
                         </button>
                       </li>
                     );
@@ -1101,6 +1195,36 @@ export function Discovery() {
               <p style={styles.dim}>No workspace matches your filter.</p>
             )}
           </div>
+
+          {tokens.length > 0 && (
+            <section style={styles.rosterSection}>
+              <div style={styles.rosterHead}>
+                In this room · you{otherClients.length > 0 ? ` + ${otherClients.length} other ${otherClients.length === 1 ? "client" : "clients"}` : ""}
+              </div>
+              <ul style={styles.list}>
+                <li style={styles.personRow}>
+                  <span style={styles.personDot}>●</span>
+                  <span style={styles.personName}>{labelRef.current}</span>
+                  <span style={styles.dim}>you</span>
+                </li>
+                {otherClients.map((c) => {
+                  const age = relTime(c.since, roomNow);
+                  return (
+                    <li key={c.peerId} style={styles.personRow}>
+                      <span style={{ ...styles.personDot, color: "#dcb67a" }}>●</span>
+                      <span style={styles.personName}>{c.meta?.name ?? c.peerId.slice(0, 8)}</span>
+                      {age && <span style={styles.dim}>connected {age} ago</span>}
+                    </li>
+                  );
+                })}
+              </ul>
+              <p style={styles.rosterHint}>
+                Anyone holding a room's token can appear here and gets a full VS Code session
+                (terminal + file write). See a device you don't recognize? Rotate the token with{" "}
+                <code style={styles.code}>codehost setup --new-token</code>.
+              </p>
+            </section>
+          )}
         </main>
       </div>
     </>
@@ -1185,6 +1309,13 @@ const styles: Record<string, React.CSSProperties> = {
   cardSub: { display: "flex", gap: 12, fontSize: 12, color: "#888", marginTop: 2 },
   cwd: { fontFamily: "monospace" },
   echo: { marginTop: 6, fontSize: 12, color: "#4ec9b0", fontFamily: "monospace" },
+  echoBad: { marginTop: 6, fontSize: 12, color: "#f48771", fontFamily: "monospace" },
+  rosterSection: { marginTop: 28 },
+  rosterHead: { fontSize: 14, color: "#aaa", fontWeight: 600, margin: "0 0 12px" },
+  rosterHint: { margin: "10px 0 0", fontSize: 12, color: "#888" },
+  personRow: { display: "flex", alignItems: "center", gap: 10, background: "#252525", border: "1px solid #3d3d3d", borderRadius: 8, padding: "8px 14px", fontSize: 13 },
+  personDot: { color: "#4ec9b0", fontSize: 10 },
+  personName: { color: "#eee", flex: 1, minWidth: 0, overflow: "hidden", textOverflow: "ellipsis", whiteSpace: "nowrap" },
   connectBtn: { background: "#0e639c", border: "none", color: "#fff", padding: "6px 14px", borderRadius: 6, cursor: "pointer", fontSize: 13 },
   shareBtn: { background: "transparent", border: "1px solid #3d3d3d", color: "#ccc", padding: "6px 14px", borderRadius: 6, cursor: "pointer", fontSize: 13 },
   provLog: { flex: 1, margin: 0, padding: "14px 18px", overflow: "auto", background: "#1e1e1e", color: "#ccc", fontFamily: "monospace", fontSize: 12.5, lineHeight: 1.5, whiteSpace: "pre-wrap" },

package/src/web/room-client.ts

@@ -1,5 +1,5 @@
 import { SignalingClient } from "../shared/signaling-client";
-import type { PeerInfo } from "../shared/signaling";
+import { type PeerInfo, CLIENT_WIRE_ROLE } from "../shared/signaling";
 import type { RtcSignal } from "../shared/rtc";
 import { RtcClient } from "./rtc-client";
 import { TunnelClient } from "./tunnel-client";
@@ -44,7 +44,7 @@ export class CodehostRoom {
     this.signaling = new SignalingClient({
       url: opts.signalUrl ?? DEFAULT_SIGNAL_URL,
       token: opts.token,
-      role: "viewer",
+      role: CLIENT_WIRE_ROLE,
       onOpen: () => opts.onStatus?.(true),
       onClose: () => opts.onStatus?.(false),
       onPeers: (peers) => {

package/worker/room.ts

@@ -10,6 +10,8 @@ interface Attachment {
   peerId: string;
   role: Role;
   meta: PeerMeta | null;
+  /** Wall-clock ms when this socket joined (sent `hello`); for the room roster. */
+  since: number;
   /** Wall-clock ms of the last message from this socket (hello / ping / signal). */
   lastSeen: number;
 }
@@ -57,11 +59,13 @@ export class Room implements DurableObject {
     }
 
     if (msg.type === "hello") {
+      const now = Date.now();
       const att: Attachment = {
         peerId: msg.peerId,
         role: msg.role,
         meta: msg.meta ?? null,
-        lastSeen: Date.now(),
+        since: now,
+        lastSeen: now,
       };
       ws.serializeAttachment(att);
       this.send(ws, { type: "welcome", peerId: msg.peerId });
@@ -165,13 +169,13 @@ export class Room implements DurableObject {
     const peers: PeerInfo[] = [];
     for (const ws of this.state.getWebSockets()) {
       const att = this.attachment(ws);
-      if (att) peers.push({ peerId: att.peerId, role: att.role, meta: att.meta });
+      if (att) peers.push({ peerId: att.peerId, role: att.role, meta: att.meta, since: att.since });
     }
     return peers;
   }
 
   private broadcastPeers(): void {
-    const message: ServerMessage = { type: "peers", peers: this.peerList() };
+    const message: ServerMessage = { type: "peers", peers: this.peerList(), now: Date.now() };
     const payload = JSON.stringify(message);
     for (const ws of this.state.getWebSockets()) {
       try {