codex-blocker 0.1.2 → 0.1.3

package/README.md

@@ -1,6 +1,6 @@
 # codex-blocker
 
-CLI tool and server for Codex Blocker — block distracting websites unless Codex is actively running.
+CLI tool and server for Codex Blocker -- block distracting websites unless Codex is actively running.
 
 ## Installation
 
@@ -41,18 +41,18 @@ npx codex-blocker --version
 
 ## How It Works
 
-1. **Codex sessions** — The server tails Codex session logs under `~/.codex/sessions`
-   to detect activity. It marks a session “working” on your prompt and on intermediate
+1. **Codex sessions** -- The server tails Codex session logs under `~/.codex/sessions`
+   to detect activity. It marks a session "working" on your prompt and on intermediate
    assistant/tool activity, marks `waiting_for_input` when Codex emits
-   `request_user_input`, and marks “idle” when it sees a terminal assistant reply
+   `request_user_input`, and marks "idle" when it sees a terminal assistant reply
    (`phase: "final_answer"`), with legacy fallback support for older Codex logs.
 
-2. **Server** — Runs on localhost and:
+2. **Server** -- Runs on localhost and:
    - Tracks active Codex sessions
    - Marks sessions "working" when new log lines arrive
    - Broadcasts state via WebSocket to the Chrome extension
 
-3. **Extension** — Connects to the server and:
+3. **Extension** -- Connects to the server and:
    - Blocks configured sites when no sessions are working, or when any session is waiting for user input
    - Shows a modal overlay (soft block, not network block)
    - Updates in real-time without page refresh
@@ -82,7 +82,7 @@ Connect to `ws://localhost:8765/ws` to receive real-time state updates:
 ## Programmatic Usage
 
 ```typescript
-import { startServer } from 'codex-blocker';
+import { startServer } from "codex-blocker";
 
 // Start on default port (8765)
 startServer();

package/dist/bin.js

@@ -2,7 +2,7 @@
 import {
   DEFAULT_PORT,
   startServer
-} from "./chunk-KNFNSOAX.js";
+} from "./chunk-ZDUKZXM4.js";
 
 // src/bin.ts
 import { createRequire } from "module";
@@ -43,6 +43,10 @@ function removeCodexSetup() {
 var require2 = createRequire(import.meta.url);
 var { version } = require2("../package.json");
 var args = process.argv.slice(2);
+function isWindowsOrWslRuntime() {
+  if (process.platform === "win32") return true;
+  return Boolean(process.env.WSL_DISTRO_NAME || process.env.WSL_INTEROP);
+}
 function prompt(question) {
   const rl = createInterface({
     input: process.stdin,
@@ -109,6 +113,9 @@ async function main() {
       console.log("");
     }
   }
-  startServer(port);
+  startServer(port, {
+    mobile: false,
+    bindHost: isWindowsOrWslRuntime() ? "0.0.0.0" : "127.0.0.1"
+  });
 }
 main();

package/dist/{chunk-KNFNSOAX.js → chunk-ZDUKZXM4.js}

@@ -1,14 +1,13 @@
 // src/server.ts
 import { createServer } from "http";
-import { existsSync as existsSync2, mkdirSync, readFileSync, writeFileSync } from "fs";
-import { homedir as homedir2 } from "os";
-import { dirname as dirname2, join as join2 } from "path";
 import { WebSocketServer, WebSocket } from "ws";
 
 // src/types.ts
 var DEFAULT_PORT = 8765;
 var SESSION_TIMEOUT_MS = 5 * 60 * 1e3;
 var CODEX_SESSIONS_SCAN_INTERVAL_MS = 2e3;
+var MOBILE_PAIRING_TTL_MS = 2 * 60 * 1e3;
+var MOBILE_QR_PAIRING_TTL_MS = 60 * 1e3;
 
 // src/state.ts
 var SessionState = class {
@@ -442,31 +441,189 @@ var CodexSessionWatcher = class {
   }
 };
 
-// src/server.ts
+// src/mobile.ts
+import { randomBytes, randomInt } from "crypto";
+var ExtensionPairingManager = class {
+  constructor(now = () => Date.now()) {
+    this.now = now;
+  }
+  pairing = null;
+  startPairing(regenerateCode = false) {
+    this.expireIfNeeded();
+    if (this.pairing && !regenerateCode) {
+      return { ...this.pairing };
+    }
+    const next = {
+      code: randomInt(0, 1e6).toString().padStart(6, "0"),
+      expiresAt: this.now() + MOBILE_PAIRING_TTL_MS
+    };
+    this.pairing = next;
+    return { ...next };
+  }
+  getStatus() {
+    this.expireIfNeeded();
+    return {
+      active: this.pairing !== null,
+      expiresAt: this.pairing?.expiresAt ?? null
+    };
+  }
+  confirmPairingCode(code) {
+    this.expireIfNeeded();
+    if (!this.pairing) return false;
+    if (code.trim() !== this.pairing.code) return false;
+    this.pairing = null;
+    return true;
+  }
+  expireIfNeeded() {
+    if (!this.pairing) return;
+    if (this.now() >= this.pairing.expiresAt) {
+      this.pairing = null;
+    }
+  }
+};
+var MobileQrPairingManager = class {
+  constructor(now = () => Date.now()) {
+    this.now = now;
+  }
+  pairing = null;
+  startPairing(refreshQr = false) {
+    this.expireIfNeeded();
+    if (this.pairing && !refreshQr) {
+      return { ...this.pairing };
+    }
+    if (this.pairing && refreshQr) {
+      const nextQrExpiry = this.now() + MOBILE_QR_PAIRING_TTL_MS;
+      const refreshed = {
+        ...this.pairing,
+        qrNonce: randomBytes(16).toString("hex"),
+        qrExpiresAt: Math.max(nextQrExpiry, this.pairing.qrExpiresAt + 1)
+      };
+      this.pairing = refreshed;
+      return { ...refreshed };
+    }
+    const next = {
+      expiresAt: this.now() + MOBILE_PAIRING_TTL_MS,
+      qrNonce: randomBytes(16).toString("hex"),
+      qrExpiresAt: this.now() + MOBILE_QR_PAIRING_TTL_MS
+    };
+    this.pairing = next;
+    return { ...next };
+  }
+  getStatus() {
+    this.expireIfNeeded();
+    return {
+      active: this.pairing !== null,
+      expiresAt: this.pairing?.expiresAt ?? null
+    };
+  }
+  confirmPairingQrNonce(qrNonce) {
+    this.expireIfNeeded();
+    if (!this.pairing) return false;
+    if (this.now() >= this.pairing.qrExpiresAt) return false;
+    if (qrNonce.trim() !== this.pairing.qrNonce) return false;
+    this.pairing = null;
+    return true;
+  }
+  expireIfNeeded() {
+    if (!this.pairing) return;
+    if (this.now() >= this.pairing.expiresAt) {
+      this.pairing = null;
+    }
+  }
+};
+function createServerInstanceId() {
+  return randomBytes(8).toString("hex");
+}
+
+// src/mdns.ts
+import { Bonjour } from "bonjour-service";
+function publishMobileService({
+  name,
+  type,
+  port,
+  instanceId
+}) {
+  const bonjour = new Bonjour();
+  const service = bonjour.publish({
+    name,
+    type,
+    port,
+    txt: {
+      instanceId,
+      version: "1"
+    }
+  });
+  return {
+    stop: () => new Promise((resolve) => {
+      const maybeService = service;
+      if (!maybeService || typeof maybeService.stop !== "function") {
+        bonjour.destroy();
+        resolve();
+        return;
+      }
+      maybeService.stop(() => {
+        bonjour.destroy();
+        resolve();
+      });
+    })
+  };
+}
+
+// src/auth-token.ts
+import { randomBytes as randomBytes2 } from "crypto";
+import { homedir as homedir2 } from "os";
+import { dirname as dirname2, join as join2 } from "path";
 var DEFAULT_TOKEN_DIR = join2(homedir2(), ".codex-blocker");
 var DEFAULT_TOKEN_PATH = join2(DEFAULT_TOKEN_DIR, "token");
+function createAuthToken() {
+  return randomBytes2(32).toString("hex");
+}
+
+// src/pairing-qr.ts
+import QRCode from "qrcode";
+var PAIRING_QR_FORMAT = "cbm-v1";
+var PAIRING_QR_PREFIX = "CBM1";
+function encodePairingQrPayload(input) {
+  const host = encodeURIComponent(input.host);
+  const instanceId = encodeURIComponent(input.instanceId);
+  const qrNonce = encodeURIComponent(input.qrNonce);
+  return `${PAIRING_QR_PREFIX};h=${host};p=${input.port};i=${instanceId};n=${qrNonce};e=${input.expiresAt}`;
+}
+async function renderPairingQr(payload) {
+  return QRCode.toString(payload, { type: "terminal", small: true });
+}
+
+// src/server.ts
 var RATE_WINDOW_MS = 6e4;
 var RATE_LIMIT = 60;
 var MAX_WS_CONNECTIONS_PER_IP = 3;
+var MOBILE_SERVICE_TYPE = "codex-blocker";
+var PAIR_CONFIRM_WINDOW_MS = 6e4;
+var PAIR_CONFIRM_MAX_FAILURES = 6;
+var PAIR_CONFIRM_LOCKOUT_MS = 2 * 6e4;
+var WS_TOKEN_PROTOCOL_PREFIX = "codex-blocker-token.";
+var INVALID_JSON_SENTINEL = /* @__PURE__ */ Symbol("invalid-json");
 var rateByIp = /* @__PURE__ */ new Map();
 var wsConnectionsByIp = /* @__PURE__ */ new Map();
-function loadToken(tokenPath) {
-  if (!existsSync2(tokenPath)) return null;
+var extensionPairConfirmByIp = /* @__PURE__ */ new Map();
+var mobilePairConfirmByIp = /* @__PURE__ */ new Map();
+var CHROME_EXTENSION_ID_PATTERN = /^[a-p]{32}$/;
+function isTrustedChromeExtensionOrigin(origin) {
+  if (!origin) return false;
   try {
-    return readFileSync(tokenPath, "utf-8").trim() || null;
+    const parsed = new URL(origin);
+    return parsed.protocol === "chrome-extension:" && CHROME_EXTENSION_ID_PATTERN.test(parsed.hostname);
   } catch {
-    return null;
+    return false;
   }
 }
-function saveToken(tokenPath, token) {
-  const tokenDir = dirname2(tokenPath);
-  if (!existsSync2(tokenDir)) {
-    mkdirSync(tokenDir, { recursive: true });
-  }
-  writeFileSync(tokenPath, token, "utf-8");
+function canBootstrapExtensionToken(providedToken, allowExtensionOrigin) {
+  return Boolean(providedToken && allowExtensionOrigin);
 }
-function isChromeExtensionOrigin(origin) {
-  return Boolean(origin && origin.startsWith("chrome-extension://"));
+function isLoopbackClientIp(clientIp) {
+  if (!clientIp) return false;
+  const normalized = clientIp.startsWith("::ffff:") ? clientIp.slice(7) : clientIp;
+  return normalized === "127.0.0.1" || normalized === "::1";
 }
 function getClientIp(req) {
   return req.socket.remoteAddress ?? "unknown";
@@ -482,6 +639,40 @@ function checkRateLimit(ip) {
   state2.count += 1;
   return true;
 }
+function getPairConfirmState(lockoutStore, ip) {
+  const now = Date.now();
+  const current = lockoutStore.get(ip);
+  if (!current || current.resetAt <= now) {
+    const next = {
+      failures: 0,
+      resetAt: now + PAIR_CONFIRM_WINDOW_MS,
+      lockoutUntil: 0
+    };
+    lockoutStore.set(ip, next);
+    return next;
+  }
+  return current;
+}
+function canAttemptPairConfirm(lockoutStore, ip) {
+  const state2 = getPairConfirmState(lockoutStore, ip);
+  return state2.lockoutUntil <= Date.now();
+}
+function getPairConfirmRetryAfterMs(lockoutStore, ip) {
+  const state2 = getPairConfirmState(lockoutStore, ip);
+  const remaining = state2.lockoutUntil - Date.now();
+  return remaining > 0 ? remaining : 0;
+}
+function recordPairConfirmFailure(lockoutStore, ip) {
+  const state2 = getPairConfirmState(lockoutStore, ip);
+  state2.failures += 1;
+  if (state2.failures >= PAIR_CONFIRM_MAX_FAILURES) {
+    state2.failures = 0;
+    state2.lockoutUntil = Date.now() + PAIR_CONFIRM_LOCKOUT_MS;
+  }
+}
+function clearPairConfirmFailures(lockoutStore, ip) {
+  lockoutStore.delete(ip);
+}
 function readAuthToken(req, url) {
   const header = req.headers.authorization;
   if (header && header.startsWith("Bearer ")) {
@@ -493,26 +684,154 @@ function readAuthToken(req, url) {
   if (typeof alt === "string" && alt.length > 0) return alt;
   return null;
 }
+function parseWebSocketProtocols(protocolsHeader) {
+  const raw = Array.isArray(protocolsHeader) ? protocolsHeader.join(",") : protocolsHeader ?? "";
+  return raw.split(",").map((value) => value.trim()).filter((value) => value.length > 0);
+}
+function readTokenFromWebSocketProtocols(protocolsHeader) {
+  const protocols = parseWebSocketProtocols(protocolsHeader);
+  for (const protocol of protocols) {
+    if (protocol.startsWith(WS_TOKEN_PROTOCOL_PREFIX)) {
+      const token = protocol.slice(WS_TOKEN_PROTOCOL_PREFIX.length).trim();
+      if (token.length > 0) return token;
+    }
+  }
+  return null;
+}
+function readWebSocketAuthToken(req, url) {
+  const protocolToken = readTokenFromWebSocketProtocols(
+    req.headers["sec-websocket-protocol"]
+  );
+  if (protocolToken) return protocolToken;
+  return readAuthToken(req, url);
+}
+function decrementWsConnectionCount(clientIp) {
+  const next = (wsConnectionsByIp.get(clientIp) ?? 1) - 1;
+  if (next <= 0) {
+    wsConnectionsByIp.delete(clientIp);
+    return;
+  }
+  wsConnectionsByIp.set(clientIp, next);
+}
 function sendJson(res, data, status = 200) {
   res.writeHead(status, { "Content-Type": "application/json" });
   res.end(JSON.stringify(data));
 }
+function normalizeListenHost(bindHost) {
+  if (bindHost === "0.0.0.0") {
+    return "127.0.0.1";
+  }
+  return bindHost;
+}
+async function readJsonBody(req, maxBytes = 8192) {
+  const chunks = [];
+  let totalBytes = 0;
+  for await (const chunk of req) {
+    const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+    totalBytes += buffer.byteLength;
+    if (totalBytes > maxBytes) {
+      return INVALID_JSON_SENTINEL;
+    }
+    chunks.push(buffer);
+  }
+  if (chunks.length === 0) {
+    return {};
+  }
+  try {
+    const parsed = JSON.parse(Buffer.concat(chunks).toString("utf-8"));
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      return INVALID_JSON_SENTINEL;
+    }
+    return parsed;
+  } catch {
+    return INVALID_JSON_SENTINEL;
+  }
+}
+function getResponseHost(req, bindHost, port) {
+  if (req.headers.host) {
+    return req.headers.host;
+  }
+  return `${normalizeListenHost(bindHost)}:${port}`;
+}
+function splitHostAndPort(rawHost, fallbackPort) {
+  try {
+    const parsed = new URL(`http://${rawHost}`);
+    const parsedPort = parsed.port ? Number.parseInt(parsed.port, 10) : fallbackPort;
+    return {
+      host: parsed.hostname,
+      port: Number.isInteger(parsedPort) && parsedPort > 0 && parsedPort < 65536 ? parsedPort : fallbackPort
+    };
+  } catch {
+    return { host: rawHost, port: fallbackPort };
+  }
+}
 function startServer(port = DEFAULT_PORT, options) {
   const stateInstance = options?.state ?? state;
-  const tokenPath = options?.tokenPath ?? DEFAULT_TOKEN_PATH;
   const startWatcher = options?.startWatcher ?? true;
   const logBanner = options?.log ?? true;
-  let authToken = loadToken(tokenPath);
+  const mobileEnabled = options?.mobile ?? true;
+  const bindHost = options?.bindHost ?? (mobileEnabled ? "0.0.0.0" : "127.0.0.1");
+  const mobileServiceName = options?.mobileServiceName ?? "Codex Blocker";
+  const publishMdns = options?.publishMdns ?? mobileEnabled;
+  const mobileQrOutput = options?.mobileQrOutput ?? true;
+  const autoStartMobilePairing = options?.autoStartMobilePairing ?? true;
+  const mobileInstanceId = createServerInstanceId();
+  let authToken = null;
+  let activePort = port;
+  let mdnsService = null;
+  const extensionPairing = mobileEnabled ? options?.extensionPairingManager ?? new ExtensionPairingManager() : null;
+  const mobileQrPairing = mobileEnabled ? options?.mobileQrPairingManager ?? new MobileQrPairingManager() : null;
+  const printExtensionPairingCode = (code) => {
+    if (!logBanner) return;
+    console.log(
+      `
+[Codex Blocker] Extension pairing code (6-digit, extension only): ${code} (expires in 2 minutes)
+`
+    );
+  };
+  const printPairingQr = (host, portToUse, qrNonce, qrExpiresAt) => {
+    if (!logBanner || !mobileQrOutput) return;
+    const payload = encodePairingQrPayload({
+      host,
+      port: portToUse,
+      instanceId: mobileInstanceId,
+      qrNonce,
+      expiresAt: qrExpiresAt
+    });
+    void renderPairingQr(payload).then((terminalQr) => {
+      console.log(
+        `[Codex Blocker] Mobile app pairing QR (QR-only, expires in 60 seconds):
+${terminalQr}
+`
+      );
+    }).catch((error) => {
+      console.warn(
+        `[Codex Blocker] Failed to render pairing QR: ${error instanceof Error ? error.message : String(error)}`
+      );
+    });
+  };
+  const sendPairingToken = (req, res) => {
+    if (!authToken) {
+      authToken = createAuthToken();
+    }
+    const host = getResponseHost(req, bindHost, activePort);
+    const payload = {
+      token: authToken,
+      statusUrl: `http://${host}/status`,
+      wsUrl: `ws://${host}/ws`
+    };
+    sendJson(res, payload);
+  };
   const server = createServer(async (req, res) => {
     const clientIp = getClientIp(req);
     if (!checkRateLimit(clientIp)) {
       sendJson(res, { error: "Too Many Requests" }, 429);
       return;
     }
-    const url = new URL(req.url || "/", `http://localhost:${port}`);
+    const url = new URL(req.url || "/", `http://localhost:${activePort}`);
     const origin = req.headers.origin;
-    const allowOrigin = isChromeExtensionOrigin(origin);
-    if (allowOrigin && origin) {
+    const allowExtensionOrigin = isTrustedChromeExtensionOrigin(origin);
+    if (allowExtensionOrigin && origin) {
       res.setHeader("Access-Control-Allow-Origin", origin);
       res.setHeader("Vary", "Origin");
       res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
@@ -522,19 +841,153 @@ function startServer(port = DEFAULT_PORT, options) {
       );
     }
     if (req.method === "OPTIONS") {
-      res.writeHead(allowOrigin ? 204 : 403);
+      res.writeHead(allowExtensionOrigin ? 204 : 403);
       res.end();
       return;
     }
+    if (extensionPairing && mobileQrPairing) {
+      if (req.method === "GET" && url.pathname === "/mobile/discovery") {
+        const pairingStatus = mobileQrPairing.getStatus();
+        const payload = {
+          name: mobileServiceName,
+          instanceId: mobileInstanceId,
+          port: activePort,
+          pairingRequired: !authToken,
+          pairingExpiresAt: pairingStatus.expiresAt
+        };
+        sendJson(res, payload);
+        return;
+      }
+      if (req.method === "POST" && url.pathname === "/extension/pair/start") {
+        const body = await readJsonBody(req);
+        if (body === INVALID_JSON_SENTINEL) {
+          sendJson(res, { error: "Invalid JSON" }, 400);
+          return;
+        }
+        const startBody = body;
+        const regenerateCode = startBody.regenerateCode === true;
+        const pairingWasActive = extensionPairing.getStatus().active;
+        const pairingCode = extensionPairing.startPairing(regenerateCode);
+        if (!pairingWasActive || regenerateCode) {
+          printExtensionPairingCode(pairingCode.code);
+        }
+        const payload = {
+          expiresAt: pairingCode.expiresAt
+        };
+        sendJson(res, payload);
+        return;
+      }
+      if (req.method === "POST" && url.pathname === "/extension/pair/confirm") {
+        if (!canAttemptPairConfirm(extensionPairConfirmByIp, clientIp)) {
+          const retryAfterMs = getPairConfirmRetryAfterMs(extensionPairConfirmByIp, clientIp);
+          if (retryAfterMs > 0) {
+            res.setHeader("Retry-After", String(Math.ceil(retryAfterMs / 1e3)));
+          }
+          sendJson(
+            res,
+            {
+              error: "Too Many Requests",
+              code: "pair_confirm_locked",
+              retryAfterMs
+            },
+            429
+          );
+          return;
+        }
+        const body = await readJsonBody(req);
+        if (body === INVALID_JSON_SENTINEL) {
+          sendJson(res, { error: "Invalid JSON" }, 400);
+          return;
+        }
+        const confirmBody = body;
+        const code = typeof confirmBody.code === "string" ? confirmBody.code.trim() : "";
+        if (code.length === 0) {
+          sendJson(res, { error: "Provide extension pairing code" }, 400);
+          return;
+        }
+        const confirmed = extensionPairing.confirmPairingCode(code);
+        if (!confirmed) {
+          recordPairConfirmFailure(extensionPairConfirmByIp, clientIp);
+          sendJson(res, { error: "Invalid or expired extension pairing code" }, 401);
+          return;
+        }
+        clearPairConfirmFailures(extensionPairConfirmByIp, clientIp);
+        sendPairingToken(req, res);
+        return;
+      }
+      if (req.method === "POST" && url.pathname === "/mobile/pair/start") {
+        const body = await readJsonBody(req);
+        if (body === INVALID_JSON_SENTINEL) {
+          sendJson(res, { error: "Invalid JSON" }, 400);
+          return;
+        }
+        const startBody = body;
+        const refreshQr = startBody.refreshQr === true;
+        const pairingWasActive = mobileQrPairing.getStatus().active;
+        const pairingCode = mobileQrPairing.startPairing(refreshQr);
+        if (!pairingWasActive || refreshQr) {
+          const rawHost = getResponseHost(req, bindHost, activePort);
+          const hostInfo = splitHostAndPort(rawHost, activePort);
+          printPairingQr(
+            hostInfo.host,
+            hostInfo.port,
+            pairingCode.qrNonce,
+            pairingCode.qrExpiresAt
+          );
+        }
+        const payload = {
+          expiresAt: pairingCode.expiresAt,
+          qrExpiresAt: pairingCode.qrExpiresAt,
+          qrFormat: PAIRING_QR_FORMAT
+        };
+        sendJson(res, payload);
+        return;
+      }
+      if (req.method === "POST" && url.pathname === "/mobile/pair/confirm") {
+        if (!canAttemptPairConfirm(mobilePairConfirmByIp, clientIp)) {
+          const retryAfterMs = getPairConfirmRetryAfterMs(mobilePairConfirmByIp, clientIp);
+          if (retryAfterMs > 0) {
+            res.setHeader("Retry-After", String(Math.ceil(retryAfterMs / 1e3)));
+          }
+          sendJson(
+            res,
+            {
+              error: "Too Many Requests",
+              code: "pair_confirm_locked",
+              retryAfterMs
+            },
+            429
+          );
+          return;
+        }
+        const body = await readJsonBody(req);
+        if (body === INVALID_JSON_SENTINEL) {
+          sendJson(res, { error: "Invalid JSON" }, 400);
+          return;
+        }
+        const confirmBody = body;
+        const qrNonce = typeof confirmBody.qrNonce === "string" ? confirmBody.qrNonce.trim() : "";
+        if (qrNonce.length === 0) {
+          sendJson(res, { error: "Provide mobile QR nonce" }, 400);
+          return;
+        }
+        const confirmed = mobileQrPairing.confirmPairingQrNonce(qrNonce);
+        if (!confirmed) {
+          recordPairConfirmFailure(mobilePairConfirmByIp, clientIp);
+          sendJson(res, { error: "Invalid or expired QR nonce" }, 401);
+          return;
+        }
+        clearPairConfirmFailures(mobilePairConfirmByIp, clientIp);
+        sendPairingToken(req, res);
+        return;
+      }
+    }
     const providedToken = readAuthToken(req, url);
     if (authToken) {
       if (!providedToken || providedToken !== authToken) {
         sendJson(res, { error: "Unauthorized" }, 401);
         return;
       }
-    } else if (providedToken && allowOrigin) {
-      authToken = providedToken;
-      saveToken(tokenPath, providedToken);
     } else {
       sendJson(res, { error: "Unauthorized" }, 401);
       return;
@@ -547,11 +1000,10 @@ function startServer(port = DEFAULT_PORT, options) {
   });
   const wss = new WebSocketServer({ server, path: "/ws" });
   wss.on("connection", (ws, req) => {
-    const wsUrl = new URL(req.url || "", `http://localhost:${port}`);
-    const providedToken = wsUrl.searchParams.get("token");
-    const origin = req.headers.origin;
-    const allowOrigin = isChromeExtensionOrigin(origin);
+    const wsUrl = new URL(req.url || "", `http://localhost:${activePort}`);
+    const providedToken = readWebSocketAuthToken(req, wsUrl);
     const clientIp = getClientIp(req);
+    const allowExtensionOrigin = isTrustedChromeExtensionOrigin(req.headers.origin);
     const currentConnections = wsConnectionsByIp.get(clientIp) ?? 0;
     if (currentConnections >= MAX_WS_CONNECTIONS_PER_IP) {
       ws.close(1013, "Too many connections");
@@ -562,9 +1014,8 @@ function startServer(port = DEFAULT_PORT, options) {
         ws.close(1008, "Unauthorized");
         return;
       }
-    } else if (providedToken && allowOrigin) {
+    } else if (canBootstrapExtensionToken(providedToken, allowExtensionOrigin)) {
       authToken = providedToken;
-      saveToken(tokenPath, providedToken);
     } else {
       ws.close(1008, "Unauthorized");
       return;
@@ -586,17 +1037,11 @@ function startServer(port = DEFAULT_PORT, options) {
     });
     ws.on("close", () => {
       unsubscribe();
-      wsConnectionsByIp.set(
-        clientIp,
-        Math.max(0, (wsConnectionsByIp.get(clientIp) ?? 1) - 1)
-      );
+      decrementWsConnectionCount(clientIp);
     });
     ws.on("error", () => {
       unsubscribe();
-      wsConnectionsByIp.set(
-        clientIp,
-        Math.max(0, (wsConnectionsByIp.get(clientIp) ?? 1) - 1)
-      );
+      decrementWsConnectionCount(clientIp);
     });
   });
   const codexWatcher = new CodexSessionWatcher(stateInstance, {
@@ -616,23 +1061,62 @@ function startServer(port = DEFAULT_PORT, options) {
     close: async () => {
       stateInstance.destroy();
       codexWatcher.stop();
+      if (mdnsService) {
+        await mdnsService.stop();
+        mdnsService = null;
+      }
       await new Promise((resolve) => wss.close(() => resolve()));
       await new Promise((resolve) => server.close(() => resolve()));
     }
   };
-  server.listen(port, "127.0.0.1", () => {
+  server.listen(port, bindHost, () => {
     const address = server.address();
     const actualPort = typeof address === "object" && address ? address.port : port;
     handle.port = actualPort;
+    activePort = actualPort;
     resolveReady(actualPort);
+    if (extensionPairing && mobileQrPairing && autoStartMobilePairing) {
+      if (logBanner) {
+        const pairingSummary = mobileQrOutput ? "extension uses 6-digit code only; mobile app uses QR only." : "extension uses 6-digit code only.";
+        console.log(`[Codex Blocker] Pairing paths: ${pairingSummary}`);
+      }
+      const extensionPairingCode = extensionPairing.startPairing();
+      printExtensionPairingCode(extensionPairingCode.code);
+      const mobilePairingCode = mobileQrPairing.startPairing();
+      printPairingQr(
+        "codex-blocker.local",
+        actualPort,
+        mobilePairingCode.qrNonce,
+        mobilePairingCode.qrExpiresAt
+      );
+      if (publishMdns) {
+        try {
+          mdnsService = publishMobileService({
+            name: mobileServiceName,
+            type: MOBILE_SERVICE_TYPE,
+            port: actualPort,
+            instanceId: mobileInstanceId
+          });
+        } catch (error) {
+          if (logBanner) {
+            console.warn(
+              `[Codex Blocker] Failed to publish mDNS service: ${error instanceof Error ? error.message : String(error)}`
+            );
+          }
+        }
+      }
+    }
     if (!logBanner) return;
+    const displayHost = bindHost === "0.0.0.0" ? "localhost" : bindHost;
+    const mobileLine = !mobileEnabled ? "" : mobileQrOutput ? `
+\u2502   Mobile:    enabled (${mobileServiceName})  \u2502` : "\n\u2502   Mobile:    extension-only              \u2502";
     console.log(`
 \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510
 \u2502                                     \u2502
 \u2502   Codex Blocker Server              \u2502
 \u2502                                     \u2502
-\u2502   HTTP:      http://localhost:${actualPort}  \u2502
-\u2502   WebSocket: ws://localhost:${actualPort}/ws \u2502
+\u2502   HTTP:      http://${displayHost}:${actualPort}  \u2502
+\u2502   WebSocket: ws://${displayHost}:${actualPort}/ws \u2502${mobileLine}
 \u2502                                     \u2502
 \u2502   Watching Codex sessions...        \u2502
 \u2502                                     \u2502
@@ -650,5 +1134,7 @@ function startServer(port = DEFAULT_PORT, options) {
 
 export {
   DEFAULT_PORT,
+  isTrustedChromeExtensionOrigin,
+  isLoopbackClientIp,
   startServer
 };

package/dist/server.d.ts

@@ -38,12 +38,53 @@ declare class SessionState {
     destroy(): void;
 }
 
+type PairingStatus = {
+    active: boolean;
+    expiresAt: number | null;
+};
+type ExtensionPairingCode = {
+    code: string;
+    expiresAt: number;
+};
+declare class ExtensionPairingManager {
+    private readonly now;
+    private pairing;
+    constructor(now?: () => number);
+    startPairing(regenerateCode?: boolean): ExtensionPairingCode;
+    getStatus(): PairingStatus;
+    confirmPairingCode(code: string): boolean;
+    private expireIfNeeded;
+}
+type MobileQrPairingCode = {
+    expiresAt: number;
+    qrNonce: string;
+    qrExpiresAt: number;
+};
+declare class MobileQrPairingManager {
+    private readonly now;
+    private pairing;
+    constructor(now?: () => number);
+    startPairing(refreshQr?: boolean): MobileQrPairingCode;
+    getStatus(): PairingStatus;
+    confirmPairingQrNonce(qrNonce: string): boolean;
+    private expireIfNeeded;
+}
+
+declare function isTrustedChromeExtensionOrigin(origin?: string | null): boolean;
+declare function isLoopbackClientIp(clientIp?: string | null): boolean;
 type ServerOptions = {
     sessionsDir?: string;
     startWatcher?: boolean;
-    tokenPath?: string;
     state?: SessionState;
     log?: boolean;
+    bindHost?: string;
+    mobile?: boolean;
+    mobileServiceName?: string;
+    publishMdns?: boolean;
+    extensionPairingManager?: ExtensionPairingManager;
+    mobileQrPairingManager?: MobileQrPairingManager;
+    mobileQrOutput?: boolean;
+    autoStartMobilePairing?: boolean;
 };
 type ServerHandle = {
     port: number;
@@ -52,4 +93,4 @@ type ServerHandle = {
 };
 declare function startServer(port?: number, options?: ServerOptions): ServerHandle;
 
-export { type ServerHandle, type ServerOptions, startServer };
+export { type ServerHandle, type ServerOptions, isLoopbackClientIp, isTrustedChromeExtensionOrigin, startServer };

package/dist/server.js

@@ -1,6 +1,10 @@
 import {
+  isLoopbackClientIp,
+  isTrustedChromeExtensionOrigin,
   startServer
-} from "./chunk-KNFNSOAX.js";
+} from "./chunk-ZDUKZXM4.js";
 export {
+  isLoopbackClientIp,
+  isTrustedChromeExtensionOrigin,
   startServer
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codex-blocker",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "Automatically blocks distracting websites unless Codex is actively running. Forked from Theo Browne's (T3) Claude Blocker",
   "author": "Adam Blumoff ",
   "repository": {
@@ -26,10 +26,13 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
+    "bonjour-service": "^1.3.0",
+    "qrcode": "^1.5.4",
     "ws": "^8.18.0"
   },
   "devDependencies": {
     "@types/node": "^22.10.2",
+    "@types/qrcode": "^1.5.5",
     "@types/ws": "^8.5.13",
     "tsup": "^8.3.5",
     "tsx": "^4.19.2",