ghostterm 1.1.2 → 1.2.0

package/CHANGELOG.md

@@ -0,0 +1,60 @@
+# Changelog
+
+## 1.2.0 (2026-03-17)
+
+### Features
+- **Background mode by default** — `npx ghostterm` now runs in the background automatically, no terminal window
+- **CLI commands** — `npx ghostterm stop`, `npx ghostterm status`, `npx ghostterm logs`
+- **First-run login** — opens browser for Google sign-in in foreground, then auto-restarts as daemon
+- **Duplicate detection** — prevents starting multiple instances
+- **12345 numpad popup** — quick number selection for CLI surveys/prompts (raw keypress without Enter)
+- **Screen button** — renamed from "Shot" for clarity
+- **Paste button shows filename** — after uploading, displays shortened filename instead of generic "Paste"
+- **Session persistence** — refreshing the page restores your last active terminal session
+- **PM2 support** — can run in background without a terminal window
+
+### Security & Stability
+- **Heartbeat ping/pong** — relay pings every 20s; mobile detects dead connections within 30s and auto-reconnects
+- **Disconnect overlay** — clear full-screen prompt when companion goes offline
+- **Session loading spinner** — visual feedback when switching sessions
+- **Improved toast notifications** — slide-in animation
+
+### Docs
+- Updated README with new features, PM2 instructions, heartbeat details
+- Added CHANGELOG
+
+## 1.1.1 (2026-03-16)
+
+### Security Hardening
+- **Rate limiting** — 50 messages/second per WebSocket connection
+- **IP connection limit** — max 5 concurrent connections per IP
+- **Brute force protection** — pair code entry locked after 3 failed attempts (60s cooldown)
+- **Origin verification** — only ghostterm.pages.dev allowed
+- **Max payload** — 1MB limit per WebSocket message
+- **Timing-safe HMAC** — prevents timing attacks on token verification
+- **Upload validation** — 5MB size limit + extension whitelist
+- **Pair code format validation** — must be exactly 6 digits
+- **WSS enforcement** — prevents MITM downgrade attacks
+- **Exponential backoff** — reconnection delay 1s → 30s max
+
+### Bug Fixes
+- Fixed ghost duplication (stale session list cleared on reconnect)
+- Fixed auto-scroll during thinking output (touch/button scroll disables auto-scroll)
+- Fixed smartScroll jumping to top of terminal
+
+## 1.1.0 (2026-03-15)
+
+### Features
+- Google OAuth auto-pairing (sign in once, auto-reconnects)
+- Long-lived token (30 days, no repeated Google sign-in)
+- 4 simultaneous terminal sessions with ghost cell previews
+- Pixel office mode
+- File upload and screenshot support
+- D-pad controls, quick keys (y/n/Tab/Shift+Tab)
+- Copy mode for terminal text selection
+
+## 1.0.0 (2026-03-14)
+
+- Initial release
+- Basic terminal relay via WebSocket
+- Pair code pairing

package/README.md

@@ -38,7 +38,23 @@ No VPN. No Tailscale. No port forwarding. Just one command.
 npx ghostterm
 ```
 
-First run opens a browser for Google sign-in. After that, it remembers you.
+First run opens a browser for Google sign-in. After that, it runs in the background automatically — no terminal window.
+
+```
+$ npx ghostterm
+  ✅ GhostTerm running in background (PID: 12345)
+  📱 Open: ghostterm.pages.dev
+  🛑 Stop: npx ghostterm stop
+  📋 Logs: npx ghostterm logs
+```
+
+Other commands:
+
+```bash
+npx ghostterm status   # check if running
+npx ghostterm stop     # stop the background process
+npx ghostterm logs     # show recent logs
+```
 
 ### 2. On your phone
 
@@ -73,16 +89,18 @@ Open **[ghostterm.pages.dev](https://ghostterm.pages.dev)** in any mobile browse
 ### Controls
 
 - **Quick keys** — one-tap `y`/`n` for Claude Code approvals
-- **D-pad** — arrow keys, Enter, Tab, Shift+Tab
+- **12345 numpad** — tap to pop up number selection for CLI surveys/prompts (raw keypress, no Enter)
+- **D-pad** — arrow keys, Enter, Tab, Shift+Tab, Space
 - **`claude` button** — quick-launch menu: new session, resume, continue, dangerous mode
-- **Ctrl+C** — interrupt running processes
+- **Ctrl+C (Stop)** — interrupt running processes
 - **Text input** — full keyboard input with Send button
 - **Copy mode** — select and copy terminal text
 
 ### File Transfer
 
-- **Screenshot** — capture your phone screen and send it to your PC terminal
+- **Screen** — capture your terminal screen and send it to your PC as a file
 - **File upload** — upload files directly from your phone to your desktop
+- **Paste button** — after uploading, shows shortened filename; tap to paste the file path into the terminal
 
 ### Visual
 
@@ -95,7 +113,9 @@ Open **[ghostterm.pages.dev](https://ghostterm.pages.dev)** in any mobile browse
 - **Google auto-pairing** — sign in once, auto-reconnects forever
 - **Encrypted relay** — all traffic over WSS (WebSocket Secure)
 - **Zero data stored** — the relay only forwards messages
-- **Auto-reconnect** — handles network drops gracefully
+- **Heartbeat** — relay pings every 20s; dead connections detected and auto-reconnected within 30s
+- **Auto-reconnect** — exponential backoff (1s → 30s max), handles network drops gracefully
+- **Session persistence** — refreshing the page restores your last active terminal session
 
 ---
 
@@ -175,8 +195,7 @@ GHOSTTERM_RELAY=wss://your-relay.example.com npx ghostterm
 
 ## Pricing
 
-- **Free**: 1 hour/day, all features included
-- **Pro**: $5/month or $12/quarter — unlimited access
+GhostTerm is currently **free** during early access. Pro plans coming soon.
 
 ---
 

package/bin/ghostterm.js

@@ -433,8 +433,106 @@ function handleRelayMessage(msg) {
   }
 }
 
+// ==================== Background Mode ====================
+const PID_FILE = path.join(CRED_DIR, 'ghostterm.pid');
+const LOG_FILE = path.join(CRED_DIR, 'ghostterm.log');
+
+function isRunning(pid) {
+  try { process.kill(pid, 0); return true; } catch { return false; }
+}
+
+function handleSubcommand() {
+  const arg = process.argv[2];
+
+  if (arg === 'stop') {
+    if (fs.existsSync(PID_FILE)) {
+      const pid = parseInt(fs.readFileSync(PID_FILE, 'utf8'));
+      if (isRunning(pid)) {
+        process.kill(pid);
+        fs.unlinkSync(PID_FILE);
+        console.log(`  GhostTerm stopped (PID: ${pid})`);
+      } else {
+        fs.unlinkSync(PID_FILE);
+        console.log('  GhostTerm was not running');
+      }
+    } else {
+      console.log('  GhostTerm is not running');
+    }
+    process.exit(0);
+  }
+
+  if (arg === 'status') {
+    if (fs.existsSync(PID_FILE)) {
+      const pid = parseInt(fs.readFileSync(PID_FILE, 'utf8'));
+      if (isRunning(pid)) {
+        console.log(`  GhostTerm is running (PID: ${pid})`);
+      } else {
+        fs.unlinkSync(PID_FILE);
+        console.log('  GhostTerm is not running');
+      }
+    } else {
+      console.log('  GhostTerm is not running');
+    }
+    process.exit(0);
+  }
+
+  if (arg === 'logs') {
+    if (fs.existsSync(LOG_FILE)) {
+      const lines = fs.readFileSync(LOG_FILE, 'utf8').split('\n').slice(-50);
+      console.log(lines.join('\n'));
+    } else {
+      console.log('  No logs found');
+    }
+    process.exit(0);
+  }
+
+  // No subcommand = start in background (unless already daemonized via --daemon)
+  if (arg !== '--daemon') {
+    // Check if already running
+    if (fs.existsSync(PID_FILE)) {
+      const pid = parseInt(fs.readFileSync(PID_FILE, 'utf8'));
+      if (isRunning(pid)) {
+        console.log(`  GhostTerm is already running (PID: ${pid})`);
+        console.log('  Stop: npx ghostterm stop');
+        process.exit(0);
+      }
+    }
+
+    // First-time login needs foreground (browser opens)
+    const needsLogin = !fs.existsSync(CRED_FILE);
+    if (needsLogin) {
+      // Run in foreground for first login, then restart as daemon
+      return 'foreground-first-login';
+    }
+
+    // Spawn self as daemon
+    const { spawn } = require('child_process');
+    const out = fs.openSync(LOG_FILE, 'a');
+    const child = spawn(process.execPath, [__filename, '--daemon'], {
+      detached: true,
+      stdio: ['ignore', out, out],
+      env: { ...process.env },
+    });
+    child.unref();
+    fs.writeFileSync(PID_FILE, String(child.pid));
+    console.log('');
+    console.log(`  ✅ GhostTerm running in background (PID: ${child.pid})`);
+    console.log('  📱 Open: ghostterm.pages.dev');
+    console.log('  🛑 Stop: npx ghostterm stop');
+    console.log('  📋 Logs: npx ghostterm logs');
+    console.log('');
+    process.exit(0);
+  }
+
+  // --daemon: write PID file and continue to main()
+  fs.writeFileSync(PID_FILE, String(process.pid));
+  return 'daemon';
+}
+
 // ==================== Main ====================
 async function main() {
+  const mode = handleSubcommand();
+
   console.log('');
   console.log('  ╔═══════════════════════════════════╗');
   console.log('  ║         GhostTerm Companion        ║');
@@ -449,6 +547,26 @@ async function main() {
     console.log('  Will use pairing code instead');
   }
 
+  // First login done in foreground — now restart as daemon
+  if (mode === 'foreground-first-login' && googleToken) {
+    console.log('');
+    console.log('  Login successful! Restarting in background...');
+    const { spawn } = require('child_process');
+    const out = fs.openSync(LOG_FILE, 'a');
+    const child = spawn(process.execPath, [__filename, '--daemon'], {
+      detached: true,
+      stdio: ['ignore', out, out],
+      env: { ...process.env },
+    });
+    child.unref();
+    fs.writeFileSync(PID_FILE, String(child.pid));
+    console.log(`  ✅ GhostTerm running in background (PID: ${child.pid})`);
+    console.log('  📱 Open: ghostterm.pages.dev');
+    console.log('  🛑 Stop: npx ghostterm stop');
+    console.log('');
+    process.exit(0);
+  }
+
   connectToRelay();
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ghostterm",
-  "version": "1.1.2",
+  "version": "1.2.0",
   "description": "Mobile terminal for Claude Code — control your PC from your phone",
   "bin": {
     "ghostterm": "bin/ghostterm.js"