npm - ghostterm - Versions diffs - 2.1.0 → 2.2.0 - Mend

ghostterm 2.1.0 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -1,6 +1,50 @@
-# GhostTerm
+# GhostTerm — Control Claude Code from Your Phone
-Control your PC terminal from your phone — direct P2P, no relay server.
+> **v2.0: Complete P2P Rewrite** — Your terminal data never touches any server. Direct encrypted connection between your phone and PC.
+GhostTerm is a mobile companion for [Claude Code](https://docs.anthropic.com/en/docs/claude-code) that gives you **full terminal access from your phone** over a direct peer-to-peer connection.
+## Why GhostTerm?
+### Run Claude Code in Dangerous Mode — From Your Phone
+```bash
+claude --dangerously-skip-permissions
+```
+The official Claude Code mobile app doesn't support `--dangerously-skip-permissions`. GhostTerm gives you **full terminal access**, so you can launch Claude in fully autonomous mode and let it work while you're away from your desk. One tap to start, one tap to stop.
+### Not Just Claude — Full Terminal Access
+GhostTerm isn't limited to Claude Code. It's a complete remote terminal. Run **any command** — `git`, `npm`, `python`, `vim`, `docker`, anything your terminal can do. The official app only gives you Claude.
+### 4 Terminals at Once
+Run up to **4 concurrent terminal sessions** with ghost cell tabs. Have Claude Code running in one, a dev server in another, git in the third. Switch between them instantly. The official app gives you one.
+### See Everything at a Glance — Pixel Office
+A unique animated workspace shows all your terminal sessions as pixel ghosts. See which ones are busy, idle, or waiting for input — **without switching tabs**. Know exactly what's happening on your PC from a single screen.
+### True End-to-End Encryption
+Your terminal data travels directly between your phone and PC over **WebRTC with DTLS encryption**. The signaling server only handles the initial pairing handshake — it never sees your terminal data. Not even GhostTerm's servers can read what you type.
+Compare:
+- **Official app**: Your data → Anthropic's servers → Your PC
+- **GhostTerm**: Your phone ↔ Your PC (direct, encrypted, no middleman)
+### Send Files from Phone to PC
+Take a photo, pick a file, and send it straight to your PC terminal. Then tap paste to insert the file path. Perfect for sharing screenshots of bugs, uploading configs, or sending reference images to Claude.
+### One-Tap Controls
+Purpose-built buttons for Claude Code workflows:
+- **y / n** — approve or deny permission prompts instantly
+- **claude** — launch Claude Code with one tap
+- **Stop** — send Ctrl+C immediately
+- **Arrow keys, Tab, Escape** — all one tap, no keyboard fumbling
 ## Quick Start
@@ -8,34 +52,45 @@ Control your PC terminal from your phone — direct P2P, no relay server.
 npx ghostterm
 ```
-First time: browser opens for Google sign-in (one-time). After that, it remembers you.
+1. Run the command above on your PC (requires [Node.js 18+](https://nodejs.org))
+2. First time: browser opens for Google sign-in (one-time, remembered after)
+3. Open **[ghostterm.pages.dev](https://ghostterm.pages.dev)** on your phone
+4. Sign in with the same Google account → **auto-connects, no pairing codes**
-## How it works
+## Security
-1. Run `npx ghostterm` on your PC
-2. Open [ghostterm.pages.dev](https://ghostterm.pages.dev) on your phone
-3. Sign in with the same Google account → auto-connects, no codes needed
-4. All terminal data flows directly between devices (WebRTC, end-to-end encrypted)
-## Features
+```
+Phone ──── WebRTC DataChannel (DTLS encrypted) ────── PC
+                        │
+                  (pairing only)
+                        │
+               Signaling Server
+        (exchanges connection info, never sees terminal data)
+```
-- **Direct P2P** — no relay server, zero latency
-- **End-to-end encrypted** — DTLS encryption, server never sees your data
-- **Google auto-pair** — same account on both sides, no codes needed
-- **4 terminals** — manage multiple sessions with ghost cells
-- **Pixel office** — animated ghost workspace with your terminals
-- **One-tap y/n** — approve Claude Code prompts instantly
-- **File upload** — send files from phone to PC
+- **DTLS encryption** on all terminal data — end-to-end, no exceptions
+- **No data at rest** — the signaling server stores nothing
+- **Google OAuth** — verified identity for secure auto-pairing
+- **Brute force protection** — 3 wrong codes = 60s lockout
+- **Private beta** — access controlled by email whitelist
 ## Options
 ```
--s, --signal <url>   Signaling server URL
---site <url>         Mobile site URL
--h, --help           Show help
+npx ghostterm [options]
+  -s, --signal <url>   Custom signaling server URL
+  --site <url>         Custom mobile site URL
+  -h, --help           Show help
 ```
 ## Requirements
-- Node.js >= 18
-- Windows, macOS, or Linux
+- **Node.js 18+** on your PC
+- **Modern browser** on your phone (Safari, Chrome, Firefox)
+- **Google account** for auto-pairing
+## Links
+- **Mobile App**: [ghostterm.pages.dev](https://ghostterm.pages.dev)
+- **npm**: [npmjs.com/package/ghostterm](https://www.npmjs.com/package/ghostterm)

package/lib/pty-manager.js CHANGED Viewed

@@ -284,8 +284,15 @@ class PtyManager extends EventEmitter {
   _handleFileUpload(msg, responses) {
     const fs = require('fs');
     const tmpDir = os.tmpdir();
-    const filename = msg.filename || `upload_${Date.now()}${msg.ext || ''}`;
+    // Sanitize filename: strip path traversal, only allow safe chars
+    const rawName = msg.filename || `upload_${Date.now()}${msg.ext || ''}`;
+    const filename = path.basename(rawName).replace(/[^a-zA-Z0-9._\-]/g, '_');
     const filepath = path.join(tmpDir, filename);
+    // Verify resolved path is still inside tmpDir
+    if (!path.resolve(filepath).startsWith(path.resolve(tmpDir))) {
+      responses.push({ type: 'error', message: 'Invalid filename' });
+      return;
+    }
     try {
       const data = Buffer.from(msg.data, 'base64');

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "ghostterm",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "description": "Control your PC terminal from your phone — direct P2P, no server in between",
   "bin": {
     "ghostterm": "bin/ghostterm-p2p.js"
@@ -20,11 +20,8 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/anthropic/ghostterm-p2p.git"
-  },
+  "license": "UNLICENSED",
+  "homepage": "https://ghostterm.pages.dev",
   "keywords": [
     "terminal",
     "remote",