npm - ghostterm - Versions diffs - 2.1.1 → 2.2.1 - Mend

ghostterm 2.1.1 → 2.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -1,17 +1,58 @@
-# GhostTerm — Control Claude Code from Your Phone
+<p align="center">
+  <img src="https://ghostterm.pages.dev/img/banner.png" alt="GhostTerm" width="400">
+</p>
-> **v2.0: Complete P2P Rewrite** — No more relay servers. Your terminal data never leaves your devices.
+<h1 align="center">GhostTerm</h1>
+<p align="center"><strong>Control Claude Code from Your Phone</strong></p>
+<p align="center">
+  <a href="https://www.npmjs.com/package/ghostterm"><img src="https://img.shields.io/npm/v/ghostterm.svg" alt="npm version"></a>
+  <a href="https://ghostterm.pages.dev"><img src="https://img.shields.io/badge/mobile-ghostterm.pages.dev-8b5cf6" alt="Mobile App"></a>
+</p>
-GhostTerm lets you control your PC terminal from your phone over a **direct peer-to-peer WebRTC connection**. Built for Claude Code users who need to approve prompts, monitor output, and manage sessions on the go.
+> **v2.0: Complete P2P Rewrite** — Your terminal data never touches any server. Direct encrypted connection between your phone and PC.
+GhostTerm is a mobile companion for [Claude Code](https://docs.anthropic.com/en/docs/claude-code) that gives you **full terminal access from your phone** over a direct peer-to-peer connection.
 ## Why GhostTerm?
-**Zero Trust Architecture** — Unlike traditional remote terminal tools that route your data through a server, GhostTerm establishes a direct encrypted tunnel between your phone and PC. The signaling server only helps with the initial handshake — it never sees your terminal data.
+### Run Claude Code in Dangerous Mode — From Your Phone
+```bash
+claude --dangerously-skip-permissions
+```
+The official Claude Code mobile app doesn't support `--dangerously-skip-permissions`. GhostTerm gives you **full terminal access**, so you can launch Claude in fully autonomous mode and let it work while you're away from your desk. One tap to start, one tap to stop.
+### Not Just Claude — Full Terminal Access
+GhostTerm isn't limited to Claude Code. It's a complete remote terminal. Run **any command** — `git`, `npm`, `python`, `vim`, `docker`, anything your terminal can do. The official app only gives you Claude.
+### 4 Terminals at Once
+Run up to **4 concurrent terminal sessions** with ghost cell tabs. Have Claude Code running in one, a dev server in another, git in the third. Switch between them instantly. The official app gives you one.
+### See Everything at a Glance — Pixel Office
+A unique animated workspace shows all your terminal sessions as pixel ghosts. See which ones are busy, idle, or waiting for input — **without switching tabs**. Know exactly what's happening on your PC from a single screen.
+### Encrypted Direct Connection
+The remote control link between your phone and PC is a **direct WebRTC connection with DTLS encryption**. Your keystrokes and terminal output travel straight between devices — they never pass through GhostTerm's servers or any third party.
+- **How it works**: Phone ↔ PC direct (the signaling server only helps with pairing, then gets out of the way)
+- **What's encrypted**: Everything you see and type in the remote terminal session
-- **End-to-end encrypted** (WebRTC DTLS) — not even we can read your data
-- **Direct P2P** — sub-millisecond latency, no relay bottleneck
-- **Google Sign-In auto-pair** — same account on phone + PC, connects instantly
-- **No API keys, no SSH, no Tailscale** — just `npx ghostterm` and go
+### Send Files from Phone to PC
+Take a photo, pick a file, and send it straight to your PC terminal. Then tap paste to insert the file path. Perfect for sharing screenshots of bugs, uploading configs, or sending reference images to Claude.
+### One-Tap Controls
+Purpose-built buttons for Claude Code workflows:
+- **y / n** — approve or deny permission prompts instantly
+- **claude** — launch Claude Code with one tap
+- **Stop** — send Ctrl+C immediately
+- **Arrow keys, Tab, Escape** — all one tap, no keyboard fumbling
 ## Quick Start
@@ -22,58 +63,24 @@ npx ghostterm
 1. Run the command above on your PC (requires [Node.js 18+](https://nodejs.org))
 2. First time: browser opens for Google sign-in (one-time, remembered after)
 3. Open **[ghostterm.pages.dev](https://ghostterm.pages.dev)** on your phone
-4. Sign in with the same Google account → **auto-connects, no codes needed**
-## Features
-| Feature | Description |
-|---------|------------|
-| **4 Concurrent Terminals** | Manage multiple Claude Code sessions with ghost cell tabs |
-| **One-Tap y/n** | Approve or deny Claude Code permission prompts instantly |
-| **Pixel Office** | Animated ghost workspace — see all terminals at a glance |
-| **File Upload** | Send screenshots and files from phone to PC |
-| **Dangerous Mode** | Launch Claude Code with `--dangerously-skip-permissions` |
-| **Auto-Reconnect** | Seamless recovery when connection drops |
-| **PWA Support** | Add to home screen for native app experience |
-## What's New in v2.0
-GhostTerm v2.0 is a **ground-up rewrite** replacing the relay architecture with peer-to-peer WebRTC:
+4. Sign in with the same Google account → **auto-connects, no pairing codes**
-- **Before (v1):** Phone → Relay Server → PC (server sees all terminal data)
-- **After (v2):** Phone ↔ PC directly (server only helps with pairing)
-This means:
-- Your terminal data is **never stored or transmitted through any server**
-- Latency drops from ~100ms (relay round-trip) to **<5ms** (direct P2P)
-- Server costs are near-zero (signaling only, no data relay)
-- Works even if the signaling server goes down (existing connections persist)
-## Security Model
+## Security
 ```
-Phone ──── WebRTC DataChannel (DTLS 1.3 encrypted) ────── PC
+Phone ──── WebRTC DataChannel (DTLS encrypted) ────── PC
                         │
                   (pairing only)
                         │
                Signaling Server
-          (exchanges SDP/ICE, never sees terminal data)
+        (exchanges connection info, never sees terminal data)
 ```
-- **DTLS encryption**: All terminal data encrypted end-to-end
-- **No data at rest**: Signaling server stores nothing
-- **One-time pair codes**: 6-digit codes expire in 5 minutes
-- **Brute force protection**: 3 wrong codes = 60s lockout
-- **Google OAuth**: Verified identity for auto-pairing
-## How It Works
-1. Your PC connects to a lightweight signaling server and registers with your Google account
-2. Your phone opens the web app and signs in with the same Google account
-3. The signaling server matches the accounts and facilitates a WebRTC handshake
-4. A direct peer-to-peer connection is established between your phone and PC
-5. All terminal I/O flows directly over the encrypted P2P channel
-6. The signaling server is no longer involved
+- **DTLS encryption** on all terminal data — end-to-end, no exceptions
+- **No data at rest** — the signaling server stores nothing
+- **Google OAuth** — verified identity for secure auto-pairing
+- **Brute force protection** — 3 wrong codes = 60s lockout
+- **Private beta** — access controlled by email whitelist
 ## Options
@@ -87,17 +94,11 @@ npx ghostterm [options]
 ## Requirements
-- **Node.js 18+** (for the PC companion)
-- **Modern browser** (for the phone — Safari, Chrome, Firefox)
-- **Google account** (for auto-pairing; or use 6-digit code without login)
-## Privacy
-- No analytics or tracking on the terminal data path
-- Google Sign-In is used solely for pairing — we don't access your Google data
-- The signaling server is open-source and can be self-hosted
-- All WebRTC connections use DTLS encryption by default
+- **Node.js 18+** on your PC
+- **Modern browser** on your phone (Safari, Chrome, Firefox)
+- **Google account** for auto-pairing
-## License
+## Links
-MIT
+- **Mobile App**: [ghostterm.pages.dev](https://ghostterm.pages.dev)
+- **npm**: [npmjs.com/package/ghostterm](https://www.npmjs.com/package/ghostterm)

package/lib/pty-manager.js CHANGED Viewed

@@ -284,8 +284,15 @@ class PtyManager extends EventEmitter {
   _handleFileUpload(msg, responses) {
     const fs = require('fs');
     const tmpDir = os.tmpdir();
-    const filename = msg.filename || `upload_${Date.now()}${msg.ext || ''}`;
+    // Sanitize filename: strip path traversal, only allow safe chars
+    const rawName = msg.filename || `upload_${Date.now()}${msg.ext || ''}`;
+    const filename = path.basename(rawName).replace(/[^a-zA-Z0-9._\-]/g, '_');
     const filepath = path.join(tmpDir, filename);
+    // Verify resolved path is still inside tmpDir
+    if (!path.resolve(filepath).startsWith(path.resolve(tmpDir))) {
+      responses.push({ type: 'error', message: 'Invalid filename' });
+      return;
+    }
     try {
       const data = Buffer.from(msg.data, 'base64');

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "ghostterm",
-  "version": "2.1.1",
+  "version": "2.2.1",
   "description": "Control your PC terminal from your phone — direct P2P, no server in between",
   "bin": {
     "ghostterm": "bin/ghostterm-p2p.js"
@@ -21,10 +21,7 @@
     "node": ">=18.0.0"
   },
   "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/anthropic/ghostterm-p2p.git"
-  },
+  "homepage": "https://ghostterm.pages.dev",
   "keywords": [
     "terminal",
     "remote",