codehost 0.20.5 → 0.22.0

package/CHANGELOG.md

@@ -1,3 +1,17 @@
+# [0.22.0](https://github.com/snomiao/codehost/compare/v0.21.0...v0.22.0) (2026-06-14)
+
+
+### Features
+
+* **web:** "Set up a machine" card on the home page ([c2cec58](https://github.com/snomiao/codehost/commit/c2cec580695cf759a986b18fc8fedd1494fc542f))
+
+# [0.21.0](https://github.com/snomiao/codehost/compare/v0.20.5...v0.21.0) (2026-06-13)
+
+
+### Features
+
+* room roster, host approval/kick, `codehost open`; rename viewer→client ([f3a2a82](https://github.com/snomiao/codehost/commit/f3a2a8265aa8b1adf95ad764fb6d30d9561c6e3c))
+
 ## [0.20.5](https://github.com/snomiao/codehost/compare/v0.20.4...v0.20.5) (2026-06-12)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codehost",
-  "version": "0.20.5",
+  "version": "0.22.0",
   "type": "module",
   "repository": {
     "type": "git",

package/src/cli/approver.ts

@@ -0,0 +1,212 @@
+import { createInterface, type Interface } from "node:readline";
+
+/**
+ * Host-side admission policy for clients (connecting browsers — each gets a full
+ * VS Code session, so this is a real gate, not just UX).
+ *  - "auto":    admit everyone with the token (default; the token is the gate).
+ *  - "confirm": hold each new client until the host approves it at the terminal,
+ *               unless its label matches a pre-approved `--allow` pattern.
+ */
+export type ApprovePolicy = "auto" | "confirm";
+
+export interface ApproverOptions {
+  policy: ApprovePolicy;
+  /** Case-insensitive label substrings auto-approved even under "confirm". */
+  allow: string[];
+  /** Tear down a live client's connection (kick). */
+  kick: (clientId: string) => void;
+  /** Emit a "pending approval" hint to a client that's now waiting on a human. */
+  notifyPending: (clientId: string) => void;
+  /** Whether stdin is an interactive terminal (defaults to process.stdin.isTTY). */
+  isTTY?: boolean;
+  /** Injected input/output for tests; default to the real process streams. */
+  input?: NodeJS.ReadableStream;
+  output?: NodeJS.WritableStream;
+  log?: (msg: string) => void;
+}
+
+interface Pending {
+  clientId: string;
+  label: string;
+  resolve: (ok: boolean) => void;
+}
+
+/**
+ * Decides whether to admit clients and drives an interactive terminal console
+ * for approve / deny / kick / list. Self-contained (no WebRTC deps) so the
+ * daemon stays thin and this stays unit-testable.
+ */
+export class Approver {
+  private opts: ApproverOptions;
+  private isTTY: boolean;
+  private out: NodeJS.WritableStream;
+  private log: (msg: string) => void;
+
+  /** Labels approved with "a(lways)" this session — auto-admit on sight. */
+  private sessionAllow = new Set<string>();
+  /** Live clients (admitted + connected), for `list` / `kick`. */
+  private active = new Map<string, string>();
+  /** Approvals waiting on the host; the head is the one being asked. */
+  private queue: Pending[] = [];
+  private asking = false;
+  private rl: Interface | null = null;
+
+  constructor(opts: ApproverOptions) {
+    this.opts = opts;
+    this.isTTY = opts.isTTY ?? Boolean(process.stdin.isTTY);
+    this.out = opts.output ?? process.stdout;
+    this.log = opts.log ?? ((m) => console.log(m));
+  }
+
+  /** Announce the active policy once at startup. */
+  banner(): void {
+    if (this.opts.policy === "auto") return;
+    if (this.isTTY) {
+      this.log("[codehost] approval: confirm — new clients wait for your OK. Commands: list · kick <n>");
+    } else {
+      this.log(
+        "[codehost] approval: confirm, but no terminal is attached — clients can't be approved " +
+          "interactively and will be denied. Use --approve auto or --allow <label> for a daemon.",
+      );
+    }
+    if (this.opts.allow.length) this.log(`[codehost] auto-approving labels matching: ${this.opts.allow.join(", ")}`);
+  }
+
+  /** Resolve true to admit `clientId`, false to deny. Called once per offer. */
+  admit(clientId: string, label: string): Promise<boolean> {
+    if (this.opts.policy === "auto" || this.preApproved(label)) return Promise.resolve(true);
+
+    // Confirm mode but no terminal to ask at: deny safely.
+    if (!this.isTTY) {
+      this.log(`[codehost] denied "${label}" (${short(clientId)}): confirm mode needs a terminal`);
+      return Promise.resolve(false);
+    }
+
+    this.opts.notifyPending(clientId);
+    return new Promise<boolean>((resolve) => {
+      this.queue.push({ clientId, label, resolve });
+      this.pumpQueue();
+    });
+  }
+
+  /** Mark a client live once its tunnel is bridged (for the console roster). */
+  onConnected(clientId: string, label: string): void {
+    this.active.set(clientId, label);
+  }
+
+  /** Drop a client from the roster and resolve any in-flight approval as denied. */
+  onDisconnected(clientId: string): void {
+    this.active.delete(clientId);
+    const idx = this.queue.findIndex((p) => p.clientId === clientId);
+    if (idx >= 0) {
+      const [p] = this.queue.splice(idx, 1);
+      p.resolve(false);
+    }
+  }
+
+  private preApproved(label: string): boolean {
+    if (this.sessionAllow.has(label)) return true;
+    const l = label.toLowerCase();
+    return this.opts.allow.some((p) => p && l.includes(p.toLowerCase()));
+  }
+
+  // ---- interactive console ----
+
+  /** Start the readline console (no-op unless confirm + TTY). */
+  start(): void {
+    if (this.opts.policy !== "confirm" || !this.isTTY || this.rl) return;
+    this.rl = createInterface({ input: this.opts.input ?? process.stdin, output: this.out });
+    this.rl.on("line", (line) => this.onLine(line.trim()));
+  }
+
+  stop(): void {
+    this.rl?.close();
+    this.rl = null;
+  }
+
+  private pumpQueue(): void {
+    if (this.asking || this.queue.length === 0) return;
+    this.asking = true;
+    const { label, clientId } = this.queue[0];
+    this.out.write(`\n[codehost] "${label}" (${short(clientId)}) wants to connect. Approve? [y/N/a=always] `);
+  }
+
+  private onLine(line: string): void {
+    if (this.asking) {
+      this.answer(line);
+      return;
+    }
+    this.command(line);
+  }
+
+  private answer(line: string): void {
+    const pending = this.queue.shift();
+    this.asking = false;
+    if (!pending) return;
+    const a = line.toLowerCase();
+    const always = a === "a" || a === "always";
+    const yes = always || a === "y" || a === "yes";
+    if (always) this.sessionAllow.add(pending.label);
+    this.log(`[codehost] ${yes ? "approved" : "denied"} "${pending.label}" (${short(pending.clientId)})`);
+    pending.resolve(yes);
+    this.pumpQueue();
+  }
+
+  private command(line: string): void {
+    if (!line) return;
+    const [cmd, ...rest] = line.split(/\s+/);
+    const arg = rest.join(" ");
+    switch (cmd) {
+      case "l":
+      case "ls":
+      case "list":
+        this.printList();
+        break;
+      case "k":
+      case "kick":
+        this.doKick(arg);
+        break;
+      case "h":
+      case "help":
+      case "?":
+        this.log("[codehost] commands: list · kick <n|id> · help");
+        break;
+      default:
+        this.log(`[codehost] unknown command "${cmd}" — try: list · kick <n|id>`);
+    }
+  }
+
+  private printList(): void {
+    const entries = [...this.active.entries()];
+    if (entries.length === 0) {
+      this.log("[codehost] no clients connected");
+      return;
+    }
+    this.log("[codehost] connected clients:");
+    entries.forEach(([id, label], i) => this.log(`  ${i + 1}. ${label} (${short(id)})`));
+  }
+
+  private doKick(arg: string): void {
+    const id = this.resolveClient(arg);
+    if (!id) {
+      this.log(`[codehost] no connected client matches "${arg}" — see: list`);
+      return;
+    }
+    const label = this.active.get(id) ?? "client";
+    this.log(`[codehost] kicking "${label}" (${short(id)})`);
+    this.opts.kick(id);
+  }
+
+  /** Resolve a `kick` argument: 1-based index from `list`, or a peerId prefix. */
+  private resolveClient(arg: string): string | null {
+    if (!arg) return null;
+    const entries = [...this.active.keys()];
+    const n = Number(arg);
+    if (Number.isInteger(n) && n >= 1 && n <= entries.length) return entries[n - 1];
+    return entries.find((id) => id.startsWith(arg) || short(id) === arg) ?? null;
+  }
+}
+
+function short(id: string): string {
+  return id.slice(0, 8);
+}

package/src/cli/commands/dev.ts

@@ -2,6 +2,7 @@ import { hostname } from "node:os";
 import { resolve } from "node:path";
 import type { CommandModule } from "yargs";
 import type { PeerMeta } from "../../shared/signaling";
+import type { ApprovePolicy } from "../approver";
 import { TOKEN_REQUIREMENTS, validateToken } from "../../shared/token";
 import { ensureHostId } from "../config";
 import { launchServeDaemon } from "../daemonize";
@@ -21,6 +22,8 @@ interface DevArgs {
   daemon: boolean;
   standalone: boolean;
   port?: number;
+  approve: string;
+  allow: string[];
 }
 
 export const devCommand: CommandModule<{}, DevArgs> = {
@@ -63,6 +66,18 @@ export const devCommand: CommandModule<{}, DevArgs> = {
       .option("port", {
         describe: "Fixed port for the local VS Code server (default: ephemeral)",
         type: "number",
+      })
+      .option("approve", {
+        describe: "Client admission: 'auto' (anyone with the token) or 'confirm' (approve each at the terminal)",
+        type: "string",
+        choices: ["auto", "confirm"],
+        default: "auto",
+      })
+      .option("allow", {
+        describe: "Under --approve confirm, auto-approve clients whose label matches (repeatable)",
+        type: "string",
+        array: true,
+        default: [],
       }) as any,
   handler: async (argv) => {
     argv.token = argv.token.trim();
@@ -107,6 +122,8 @@ export const devCommand: CommandModule<{}, DevArgs> = {
         name: argv.name,
         port: argv.port,
         host,
+        approve: argv.approve,
+        allow: argv.allow,
       });
       if (ok) announceConnect(argv.token);
       process.exit(ok ? 0 : 1);
@@ -132,6 +149,8 @@ export const devCommand: CommandModule<{}, DevArgs> = {
       signal: argv.signal,
       meta,
       label: `serving ${dir}`,
+      approve: argv.approve as ApprovePolicy,
+      allow: argv.allow,
       launch: async (basePath) => {
         const v = await launchVscode({ dir, basePath, port: argv.port });
         return { port: v.port, stop: v.stop };

package/src/cli/commands/open.ts

@@ -0,0 +1,95 @@
+import { resolve } from "node:path";
+import type { CommandModule } from "yargs";
+import { readConfig } from "../config";
+import { repoIdentity } from "../git";
+import { GITHUB_HOST, gitUrlToPath, shareableDeepLink } from "../../shared/repo";
+import { PAGE_URL, openBrowser } from "../open-url";
+
+interface OpenArgs {
+  target?: string;
+  token?: string;
+  anon: boolean;
+  page: string;
+  print: boolean;
+}
+
+export const openCommand: CommandModule<{}, OpenArgs> = {
+  command: "open [target]",
+  describe: "Open a codehost deep link in the browser (defaults to the repo in the current directory)",
+  builder: (y) =>
+    y
+      .positional("target", {
+        describe:
+          "What to open: a repo (owner/repo, a git URL, or gh/git/host/dev path) or a full URL. Omit to use the git repo in the current directory.",
+        type: "string",
+      })
+      .option("token", {
+        alias: "t",
+        describe: "Token to embed for auto-connect (defaults to the saved room token)",
+        type: "string",
+      })
+      .option("anon", {
+        describe: "Open without embedding a token",
+        type: "boolean",
+        default: false,
+      })
+      .option("page", { describe: "Page URL to open against", type: "string", default: PAGE_URL })
+      .option("print", {
+        describe: "Print the URL instead of opening a browser",
+        type: "boolean",
+        default: false,
+      }) as any,
+  handler: async (argv) => {
+    const url = buildUrl(argv);
+    console.log(`[codehost] ${url}`);
+    if (argv.print) return;
+    openBrowser(url);
+  },
+};
+
+/**
+ * Resolve the URL to open. A full non-git URL is used verbatim; otherwise we
+ * build a codehost deep-link path (reusing the same helpers the page resolves
+ * with) and, unless `--anon`, append the room token in the `#t=<token>` fragment
+ * so the page auto-connects (the fragment stays in the browser). With no target
+ * we derive the path from the git repo in the current directory.
+ */
+function buildUrl(argv: OpenArgs): string {
+  const target = argv.target?.trim();
+
+  // A full non-repo URL is opened as-is. (A repo URL like
+  // https://github.com/o/r is turned into a deep link below.)
+  if (target && /^https?:\/\//i.test(target) && !gitUrlToPath(target)) return target;
+
+  const path = target ? pathFromTarget(target) : pathFromCwd();
+  const base = `${argv.page.replace(/\/+$/, "")}${path}`;
+
+  const token = argv.anon ? undefined : (argv.token?.trim() || readConfig().token);
+  return token ? `${base}#t=${encodeURIComponent(token)}` : base;
+}
+
+/** Map a positional target to a deep-link path (always starts with `/`). */
+function pathFromTarget(target: string): string {
+  const clean = target.replace(/^\/+/, "");
+  // Already a known deep-link shape — pass through.
+  if (/^(gh|git|host|dev)\//.test(clean)) return `/${clean}`;
+  // A git URL / scp / host/owner/repo (dotted host), incl. /tree/<branch>.
+  const fromUrl = gitUrlToPath(target);
+  if (fromUrl) return fromUrl;
+  // Bare `owner/repo[/tree/branch]` -> GitHub deep link.
+  const m = clean.match(/^([^/]+)\/([^/]+)(?:\/tree\/(.+))?$/);
+  if (m) return shareableDeepLink({ repo: `${GITHUB_HOST}/${m[1]}/${m[2]}`, branch: m[3] }) ?? "/";
+  // Anything else (e.g. a folder path) -> legacy host-agnostic folder mount.
+  return `/dev/${clean}`;
+}
+
+/** Derive a deep-link path from the git repo in the current directory. */
+function pathFromCwd(): string {
+  const { repo, branch } = repoIdentity(resolve(process.cwd()));
+  const path = repo ? shareableDeepLink({ repo, branch }) : null;
+  if (!path) {
+    console.error("[codehost] no git repo found here; opening the codehost home page");
+    return "/";
+  }
+  return path;
+}

package/src/cli/commands/serve.ts

@@ -3,6 +3,7 @@ import { homedir, hostname } from "node:os";
 import { join, resolve } from "node:path";
 import type { CommandModule } from "yargs";
 import type { PeerMeta } from "../../shared/signaling";
+import type { ApprovePolicy } from "../approver";
 import { DEFAULT_LAYOUT, GITHUB_HOST, toPosixPath } from "../../shared/repo";
 import { TOKEN_REQUIREMENTS, validateToken } from "../../shared/token";
 import { defaultRoot, ensureHostId } from "../config";
@@ -66,6 +67,8 @@ interface ServeArgs {
   signal: string;
   daemon: boolean;
   port?: number;
+  approve: string;
+  allow: string[];
 }
 
 export const serveCommand: CommandModule<{}, ServeArgs> = {
@@ -102,6 +105,18 @@ export const serveCommand: CommandModule<{}, ServeArgs> = {
       .option("port", {
         describe: "Fixed port for the local VS Code server (default: ephemeral)",
         type: "number",
+      })
+      .option("approve", {
+        describe: "Client admission: 'auto' (anyone with the token) or 'confirm' (approve each at the terminal)",
+        type: "string",
+        choices: ["auto", "confirm"],
+        default: "auto",
+      })
+      .option("allow", {
+        describe: "Under --approve confirm, auto-approve clients whose label matches (repeatable)",
+        type: "string",
+        array: true,
+        default: [],
       }) as any,
   handler: async (argv) => {
     argv.token = argv.token.trim();
@@ -135,6 +150,8 @@ export const serveCommand: CommandModule<{}, ServeArgs> = {
         name: argv.name,
         port: argv.port,
         host,
+        approve: argv.approve,
+        allow: argv.allow,
       });
       if (ok) announceConnect(argv.token);
       process.exit(ok ? 0 : 1);
@@ -208,6 +225,8 @@ export const serveCommand: CommandModule<{}, ServeArgs> = {
       metaRefreshMs: 3_000,
       watchFiles: [workspacesFile()],
       plugins,
+      approve: argv.approve as ApprovePolicy,
+      allow: argv.allow,
       label: `serving workspace root ${dir}`,
       provision: { homeDir: dir, host: GITHUB_HOST },
       launch: async (basePath) => {

package/src/cli/commands/setup.ts

@@ -19,6 +19,8 @@ interface SetupArgs {
   name?: string;
   signal: string;
   port?: number;
+  approve: string;
+  allow: string[];
 }
 
 export const setupCommand: CommandModule<{}, SetupArgs> = {
@@ -42,7 +44,19 @@ export const setupCommand: CommandModule<{}, SetupArgs> = {
       })
       .option("name", { describe: "Display name for this server (defaults to hostname)", type: "string" })
       .option("signal", { describe: "Signaling server URL", type: "string", default: DEFAULT_SIGNAL_URL })
-      .option("port", { describe: "Fixed port for the local VS Code server", type: "number" }) as any,
+      .option("port", { describe: "Fixed port for the local VS Code server", type: "number" })
+      .option("approve", {
+        describe: "Client admission: 'auto' (anyone with the token) or 'confirm' (approve via --allow; the daemon has no terminal)",
+        type: "string",
+        choices: ["auto", "confirm"],
+        default: "auto",
+      })
+      .option("allow", {
+        describe: "Under --approve confirm, auto-approve clients whose label matches (repeatable)",
+        type: "string",
+        array: true,
+        default: [],
+      }) as any,
   handler: async (argv) => {
     // Explicit dir > a git cwd (serve THIS repo) > remembered root > ~/ws —
     // so a bare `codehost setup` (e.g. from the installer) lands on a sane
@@ -99,6 +113,8 @@ export const setupCommand: CommandModule<{}, SetupArgs> = {
       name: argv.name,
       port: argv.port,
       host,
+      approve: argv.approve,
+      allow: argv.allow,
     });
     if (!ok) process.exit(1);
 

package/src/cli/daemonize.ts

@@ -20,6 +20,10 @@ export interface ServeDaemonOptions {
   port?: number;
   /** Hostname, used as a label fallback. */
   host: string;
+  /** Client admission policy ("auto" | "confirm"); propagated to the daemon. */
+  approve?: string;
+  /** Pre-approved client label patterns, propagated to the daemon. */
+  allow?: string[];
 }
 
 export interface ServeDaemonResult {
@@ -79,6 +83,10 @@ function buildForegroundArgv(opts: ServeDaemonOptions): string[] {
   // never collapse into register-with-the-host-daemon-and-exit (oxmgr would
   // see an instant exit and thrash).
   if ((opts.command ?? "serve") === "dev") parts.push("--standalone");
+  // A backgrounded daemon has no terminal, so "confirm" can only admit clients
+  // that match an --allow pattern; we still propagate it so that works.
+  if (opts.approve && opts.approve !== "auto") parts.push("--approve", opts.approve);
+  for (const pat of opts.allow ?? []) parts.push("--allow", pat);
   return parts;
 }
 

package/src/cli/index.ts

@@ -6,6 +6,7 @@ import { initCommand } from "./commands/init";
 import { serveCommand } from "./commands/serve";
 import { devCommand } from "./commands/dev";
 import { exposeCommand } from "./commands/expose";
+import { openCommand } from "./commands/open";
 import { listCommand } from "./commands/list";
 import { stopCommand } from "./commands/stop";
 import { updateCommand } from "./commands/update";
@@ -19,6 +20,7 @@ yargs(hideBin(process.argv))
   .command(serveCommand)
   .command(devCommand)
   .command(exposeCommand)
+  .command(openCommand)
   .command(listCommand)
   .command(stopCommand)
   .command(updateCommand)