gitspace 0.2.0-rc.3 → 0.2.0-rc.4

package/.claude/settings.local.json

@@ -17,7 +17,9 @@
       "WebFetch(domain:developers.cloudflare.com)",
       "WebFetch(domain:gitspace.sh)",
       "Bash(/Users/bradleat/spaces/spaces/workspaces/remote-space/dist/gssh-darwin-arm64:*)",
-      "Bash(npx wrangler pages deploy:*)"
+      "Bash(npx wrangler pages deploy:*)",
+      "Bash(git add:*)",
+      "Bash(git commit:*)"
     ]
   }
 }

package/AGENTS.md

@@ -215,10 +215,11 @@ src/
 | Command | Description |
 |---------|-------------|
 | `gssh relay start` | Start relay server |
-| `gssh relay token` | Create account JWT (HMAC) |
-| `gssh relay authorize <pubkey>` | Authorize a client on relay |
-| `gssh relay revoke <id>` | Revoke client authorization |
+| `gssh relay authorize <pubkey>` | Authorize a machine on relay |
+| `gssh relay revoke <id>` | Revoke machine authorization |
 | `gssh relay machines` | List authorized machines |
+| `gssh relay trusted` | List trusted relays |
+| `gssh relay untrust <url>` | Remove relay from trusted list |
 
 ### tmux-lite Daemon
 | Command | Description |
@@ -263,10 +264,19 @@ src/
 └─────────────────┘       └─────────────────┘       └─────────────────┘
 ```
 
-### Connection Flow
+### Connection Flow (gitspace.sh Hosting)
 
-1. Machine runs `gssh serve --relay <url> --token <jwt>`
-2. Machine registers with relay (sends public keys)
+1. User logs in: `gssh auth login` (GitHub OAuth)
+2. User reserves subdomain: `gssh host reserve <name>`
+3. Machine runs `gssh serve start` (auto-starts local relay + cloudflared tunnel)
+4. Client connects via web: `https://<name>.gitspace.sh`
+5. X3DH handshake establishes session keys
+6. All terminal I/O is E2E encrypted
+
+### Connection Flow (Self-Hosted Relay)
+
+1. Machine runs `gssh serve start --relay ws://relay:4480/ws`
+2. Machine registers with relay (Ed25519 challenge-response auth)
 3. Machine creates invite: `gssh share create`
 4. Client connects with invite: `gssh connect <token>`
 5. X3DH handshake establishes session keys
@@ -280,7 +290,7 @@ src/
 | Key exchange | X25519 |
 | Symmetric encryption | AES-256-GCM |
 | Key derivation | HKDF-SHA256 |
-| JWT signing | HMAC-SHA256 |
+| Relay authentication | Ed25519 challenge-response |
 
 ## TUI/Web Shared Component Pattern
 
@@ -322,11 +332,14 @@ bun run build
 # Run TUI
 bun src/index.ts
 
-# Run relay
-RELAY_SIGNING_SECRET=secret bun src/index.ts relay start
+# Run relay (uses Ed25519 identity from keychain)
+bun src/index.ts relay start
+
+# Run serve with gitspace.sh hosting (requires auth login + host reserve)
+bun src/index.ts serve start
 
-# Run serve
-bun src/index.ts serve --relay ws://localhost:8080/ws --token <jwt>
+# Run serve with self-hosted relay
+bun src/index.ts serve start --relay ws://localhost:4480/ws
 ```
 
 ### Code Style
@@ -409,6 +422,7 @@ bun src/index.ts serve --relay ws://localhost:8080/ws --token <jwt>
 | Access list | `~/gitspace/.access.json` | Authorized client public keys |
 | Machine info | `~/gitspace/.machine.json` | Machine registration |
 | Relay config | `~/gitspace/.relay.json` | Relay configuration cache |
+| Host config | `~/gitspace/host.json` | gitspace.sh subdomain config |
 | Daemon state | `~/gitspace/.serve/` | PID files, status sockets |
 | tmux-lite state | `/tmp/` | Session data (configurable via `TMUX_LITE_SESSION_DIR`) |
 
@@ -418,9 +432,8 @@ bun src/index.ts serve --relay ws://localhost:8080/ws --token <jwt>
 |----------|-------------|---------|
 | `RELAY_PORT` | Relay server port | `4480` |
 | `RELAY_BIND` | Relay bind address | `0.0.0.0` |
-| `RELAY_SIGNING_SECRET` | Secret for HMAC JWT signing | Required |
 | `RELAY_PRIVATE_KEY` | Base64 Ed25519 private key | Uses keychain |
-| `SPACES_CURRENT_PROJECT` | Override current project | From config |
+| `RELAY_LABEL` | Label for relay identity | None |
 | `GITSPACE_API_URL` | gitspace.sh API URL | `https://api.gitspace.sh` |
 
 ### Default Values
@@ -431,9 +444,8 @@ bun src/index.ts serve --relay ws://localhost:8080/ws --token <jwt>
 | Base branch | `main` | Global/project config |
 | Stale workspace days | `30` | Global config |
 | Relay port | `4480` | CLI/env |
-| Default relay URL | `wss://relay.gitspace.sh` | CLI |
 
 ---
 
-**Last Updated**: 2025-01
-**Runtime**: Bun / Node.js 18+
+**Last Updated**: 2026-01
+**Runtime**: Bun 1.3+

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "gitspace",
-  "version": "0.2.0-rc.3",
+  "version": "0.2.0-rc.4",
   "description": "CLI for managing GitHub workspaces with git worktrees and secure remote terminal access",
   "bin": {
     "gssh": "./bin/gssh"
@@ -17,10 +17,10 @@
     "relay": "bun src/relay/index.ts"
   },
   "optionalDependencies": {
-    "@gitspace/darwin-arm64": "0.2.0-rc.3",
-    "@gitspace/darwin-x64": "0.2.0-rc.3",
-    "@gitspace/linux-x64": "0.2.0-rc.3",
-    "@gitspace/linux-arm64": "0.2.0-rc.3"
+    "@gitspace/darwin-arm64": "0.2.0-rc.4",
+    "@gitspace/darwin-x64": "0.2.0-rc.4",
+    "@gitspace/linux-x64": "0.2.0-rc.4",
+    "@gitspace/linux-arm64": "0.2.0-rc.4"
   },
   "keywords": [
     "cli",

package/src/commands/auth.ts

@@ -12,6 +12,7 @@ import { sign, serializeIdentity } from '../lib/tmux-lite/crypto/identity.js';
 import { promptPassword } from '../utils/prompts.js';
 import { logger } from '../utils/logger.js';
 import { NoIdentityError, SpacesError } from '../types/errors.js';
+import { syncHostConfig } from './host.js';
 
 // API Configuration
 const API_BASE = process.env.GITSPACE_API_URL || 'https://api.gitspace.sh';
@@ -194,6 +195,10 @@ export async function authLogin(): Promise<void> {
   logger.success('Authentication complete');
   logger.success(`Logged in as ${user.github_username}`);
   logger.success('Token saved to keychain');
+
+  // Step 6: Sync host config (fetches existing subdomains from API)
+  // Interactive mode will prompt user to select primary or reserve a subdomain
+  await syncHostConfig(true);
 }
 
 // ============================================================================

package/src/commands/host.ts

@@ -85,9 +85,11 @@ function writeHostConfig(config: HostConfig): void {
 }
 
 /**
- * Update host config after subdomain changes
+ * Sync host config from gitspace.sh API
+ * Called after login and subdomain changes to keep local config in sync
+ * @param interactive - If true, prompt user to select primary if needed
  */
-async function syncHostConfig(): Promise<void> {
+export async function syncHostConfig(interactive: boolean = false): Promise<void> {
   const token = await getSecret('GITSPACE_TOKEN');
   if (!token) return;
 
@@ -99,7 +101,40 @@ async function syncHostConfig(): Promise<void> {
 
     const subdomains: SubdomainInfo[] = await res.json();
     const activeSubdomains = subdomains.filter((s) => s.status === 'active');
-    const primary = activeSubdomains.find((s) => s.is_primary);
+
+    // No subdomains - tell user to reserve one
+    if (activeSubdomains.length === 0) {
+      if (interactive) {
+        logger.log('');
+        logger.dim('No subdomains reserved yet.');
+        logger.dim('To enable remote access, reserve a subdomain:');
+        logger.command('  gssh host reserve <name>');
+      }
+      return;
+    }
+
+    // Check for primary
+    let primary = activeSubdomains.find((s) => s.is_primary);
+
+    // If no primary set and interactive, ask user to pick one
+    if (!primary && interactive && activeSubdomains.length > 0) {
+      logger.log('');
+      logger.log('Your subdomains:');
+      activeSubdomains.forEach((s, i) => {
+        logger.log(`  ${i + 1}. ${s.subdomain}.gitspace.sh`);
+      });
+
+      if (activeSubdomains.length === 1) {
+        // Auto-set the only one as primary
+        primary = activeSubdomains[0];
+        logger.dim(`Setting ${primary.subdomain}.gitspace.sh as primary...`);
+        await hostSetPrimary(primary.subdomain);
+      } else {
+        logger.log('');
+        logger.dim('Select a primary subdomain for this machine:');
+        logger.command('  gssh host set-primary <name>');
+      }
+    }
 
     if (primary) {
       writeHostConfig({
@@ -107,6 +142,26 @@ async function syncHostConfig(): Promise<void> {
         subdomains: activeSubdomains.map((s) => s.subdomain),
         createdAt: primary.created_at,
       });
+
+      // Sync tunnel token if not present (e.g., new machine with existing account)
+      const existingToken = await getSecret(`TUNNEL_TOKEN_${primary.subdomain}`);
+      if (!existingToken) {
+        if (interactive) {
+          logger.dim(`Fetching tunnel credentials for ${primary.subdomain}.gitspace.sh...`);
+        }
+        try {
+          const tokenRes = await fetch(`${API_BASE}/subdomains/${primary.subdomain}/token`, { headers });
+          if (tokenRes.ok) {
+            const { tunnelToken } = await tokenRes.json();
+            await setSecret(`TUNNEL_TOKEN_${primary.subdomain}`, tunnelToken);
+            if (interactive) {
+              logger.success('Tunnel credentials saved');
+            }
+          }
+        } catch {
+          // Ignore token fetch errors
+        }
+      }
     }
   } catch {
     // Ignore sync errors
@@ -378,11 +433,28 @@ export async function hostStatus(): Promise<void> {
     logger.log(`Status: ${primary.status}`);
 
     // Check if tunnel token exists locally
-    const tunnelToken = await getSecret(`TUNNEL_TOKEN_${primary.subdomain}`);
+    let tunnelToken = await getSecret(`TUNNEL_TOKEN_${primary.subdomain}`);
+
+    // Auto-fetch token if missing
+    if (!tunnelToken) {
+      logger.dim('Tunnel credentials missing, fetching...');
+      try {
+        const tokenRes = await fetch(`${API_BASE}/subdomains/${primary.subdomain}/token`, { headers });
+        if (tokenRes.ok) {
+          const { tunnelToken: newToken } = await tokenRes.json();
+          await setSecret(`TUNNEL_TOKEN_${primary.subdomain}`, newToken);
+          tunnelToken = newToken;
+          logger.success('Tunnel credentials synced');
+        }
+      } catch {
+        // Ignore
+      }
+    }
+
     logger.log(`Tunnel token: ${tunnelToken ? 'configured' : 'missing'}`);
 
     if (!tunnelToken) {
-      logger.dim('Run: gssh host reserve ' + primary.subdomain + ' (to refresh token)');
+      logger.warning('Could not fetch tunnel credentials');
     }
   } catch {
     logger.log('Could not verify status (API unreachable)');

package/src/commands/serve.ts

@@ -66,7 +66,7 @@ import {
 const PACKAGE_VERSION = '1.0.0';
 
 /** Default relay URL */
-const DEFAULT_RELAY_URL = 'wss://relay.gitspace.sh';
+// No default relay - must use hosting or explicit --relay
 
 /** Local relay port for gitspace.sh hosting */
 const LOCAL_RELAY_PORT = 4480;
@@ -503,21 +503,36 @@ export async function serve(options: {
   const entries = readAccessList();
   accessList.import(entries);
 
-  // Step 3: Display info
+  // Step 3: Check for gitspace.sh hosting or explicit relay
+  const hostConfig = readHostConfig();
+  const relayUrl = options.relay; // No default - must use hosting or explicit --relay
+
+  // If no hosting config and no explicit relay, error out
+  if (!hostConfig?.subdomain && !relayUrl) {
+    throw new SpacesError(
+      'No relay configured.\n\n' +
+      'Either set up gitspace.sh hosting:\n' +
+      '  gssh auth login\n' +
+      '  gssh host reserve <subdomain>\n\n' +
+      'Or specify a relay explicitly:\n' +
+      '  gssh serve start --relay ws://localhost:4480/ws',
+      'USER_ERROR'
+    );
+  }
+
+  // Display info
   const machineIdentity = readMachineIdentity();
   const machineId = machineIdentity?.machineId ?? identity.id;
-  const relayUrl = options.relay ?? DEFAULT_RELAY_URL;
 
   logger.log('');
   logger.bold('Machine Identity:');
   logger.log(`  ID:    ${machineId}`);
-  logger.log(`  Relay: ${relayUrl}`);
+  if (relayUrl) {
+    logger.log(`  Relay: ${relayUrl}`);
+  }
   logger.log('');
   logger.dim(`Access list: ${entries.length} authorized ${entries.length === 1 ? 'client' : 'clients'}`);
   logger.log('');
-
-  // Step 3b: Check for gitspace.sh hosting
-  const hostConfig = readHostConfig();
   let localRelayServer: ReturnType<typeof createRelayServer> | null = null;
   let localRelayIdentity: ReturnType<typeof generateRelayIdentity> | null = null;
 
@@ -608,6 +623,11 @@ export async function serve(options: {
     return;
   }
 
+  // If we get here, relayUrl must be defined (checked earlier)
+  if (!relayUrl) {
+    throw new SpacesError('No relay URL configured', 'USER_ERROR');
+  }
+
   // Step 4: Create session manager
   const sessionManager = new ClientSessionManager({
     relay: relayUrl,
@@ -1208,10 +1228,18 @@ export async function serveStart(options: {
     logger.log('Starting serve daemon...');
 
     // Build args for background process
-    const args = [process.argv[1], 'serve', 'start', '--foreground'];
-    if (options.relay) args.push('--relay', options.relay);
-    if (options.relayPubkey) args.push('--relay-pubkey', options.relayPubkey);
-    args.push('--password-stdin');
+    // Detect if we're running as a compiled binary vs dev mode
+    const isCompiled = !process.execPath.endsWith('bun');
+
+    const serveArgs = ['serve', 'start', '--foreground'];
+    if (options.relay) serveArgs.push('--relay', options.relay);
+    if (options.relayPubkey) serveArgs.push('--relay-pubkey', options.relayPubkey);
+    serveArgs.push('--password-stdin');
+
+    // Build command: compiled binary runs directly, dev mode uses bun
+    const cmd = isCompiled
+      ? [process.execPath, ...serveArgs]
+      : ['bun', process.argv[1], ...serveArgs];
 
     // Write output to log file for debugging
     const logFile = getServeLogFile();
@@ -1221,7 +1249,7 @@ export async function serveStart(options: {
     await Bun.write(logFile, `[${new Date().toISOString()}] Starting serve daemon...\n`);
 
     const child = spawn({
-      cmd: ['bun', ...args],
+      cmd,
       stdin: 'pipe',
       stdout: Bun.file(logFile),
       stderr: Bun.file(logFile),
@@ -1269,20 +1297,35 @@ export async function serveStart(options: {
   // Get config
   const machineIdentity = readMachineIdentity();
   const machineId = machineIdentity?.machineId ?? identity.id;
-  const relayUrl = options.relay ?? DEFAULT_RELAY_URL;
 
   // Check for gitspace.sh hosting
   const hostConfig = readHostConfig();
+  const relayUrl = options.relay; // No default - must use hosting or explicit --relay
+
+  // If no hosting config and no explicit relay, error out
+  if (!hostConfig?.subdomain && !relayUrl) {
+    cleanupServeFiles();
+    throw new SpacesError(
+      'No relay configured.\n\n' +
+      'Either set up gitspace.sh hosting:\n' +
+      '  gssh auth login\n' +
+      '  gssh host reserve <subdomain>\n\n' +
+      'Or specify a relay explicitly:\n' +
+      '  gssh serve start --relay ws://localhost:4480/ws',
+      'USER_ERROR'
+    );
+  }
+
   let localRelayServer: ReturnType<typeof createRelayServer> | null = null;
   let localRelayIdentity: ReturnType<typeof generateRelayIdentity> | null = null;
-  let effectiveRelayUrl = relayUrl;
+  let effectiveRelayUrl = relayUrl || '';
 
   // Initialize daemon state
   setDaemonState({
     version: PACKAGE_VERSION,
     startTime: Date.now(),
     relay: {
-      url: relayUrl,
+      url: effectiveRelayUrl,
       status: 'connecting',
     },
     clients: 0,
@@ -1373,7 +1416,7 @@ export async function serveStart(options: {
 
   // Save relay config for share/access commands
   writeRelayConfig({
-    relayUrl,
+    relayUrl: effectiveRelayUrl,
     machineId,
     savedAt: Date.now(),
   });

package/src/commands/share.ts

@@ -27,11 +27,6 @@ import { SpacesError, NoIdentityError, InvalidPasswordError } from '../types/err
 import chalk from 'chalk';
 import { createHash } from 'crypto';
 
-/**
- * Default relay URL
- */
-const DEFAULT_RELAY_URL = 'wss://relay.gitspace.sh';
-
 /**
  * Duration string formats supported:
  * - "1h" -> 1 hour

package/src/index.ts

@@ -5,6 +5,22 @@
  * Manages GitHub workspaces with git worktrees and secure remote terminal access
  */
 
+// Internal command: run tmux-lite server directly (for compiled binary)
+// This must be checked before any other imports to avoid loading unnecessary modules
+if (process.argv.includes('--internal-tmux-server')) {
+	// Pass through --test flag if present
+	if (process.argv.includes('--test')) {
+		process.env.TMUX_LITE_SOCKET = '/tmp/tmux-lite-test.sock';
+		process.env.TMUX_LITE_SESSION_DIR = '/tmp/tmux-lite-test';
+		process.env.TMUX_LITE_PID_FILE = '/tmp/tmux-lite-test.pid';
+	}
+	// Import and run server (module auto-starts on import)
+	await import('./lib/tmux-lite/server.js');
+	// Keep process alive - server runs via Bun.listen() which is async
+	// We need to prevent the rest of this file from executing
+	await new Promise(() => {}); // Block forever
+}
+
 import { Command } from 'commander'
 import { readFileSync } from 'fs'
 import { join } from 'path'

package/src/lib/tmux-lite/cli.ts

@@ -67,9 +67,22 @@ if (isTestMode) {
   process.env.TMUX_LITE_SESSION_DIR = "/tmp/tmux-lite-test";
 }
 
-const getServerCommand = (): string[] => (
-  isTestMode ? ["bun", "run", SERVER_SCRIPT, "--test"] : ["bun", "run", SERVER_SCRIPT]
-);
+const getServerCommand = (): string[] => {
+  // Detect if we're running as a compiled binary (not bun)
+  const isCompiled = !process.execPath.endsWith('bun');
+
+  if (isCompiled) {
+    // Use the binary with internal flag
+    return isTestMode
+      ? [process.execPath, '--internal-tmux-server', '--test']
+      : [process.execPath, '--internal-tmux-server'];
+  }
+
+  // Dev mode: use bun run
+  return isTestMode
+    ? ['bun', 'run', SERVER_SCRIPT, '--test']
+    : ['bun', 'run', SERVER_SCRIPT];
+};
 
 // Check if we're already inside a tmux-lite session
 export function isNested(): boolean {

package/src/relay/server.ts

@@ -68,25 +68,27 @@ function getContentType(pathname: string): string {
  * Serve a static file - tries embedded assets first, falls back to filesystem
  */
 async function serveStaticFile(pathname: string): Promise<Response | null> {
+  // Normalize path for content type (/ -> /index.html)
+  const normalizedPath = pathname === "/" ? "/index.html" : pathname;
+
   // Try embedded assets first (compiled binary)
   if (hasEmbeddedAssets() && embeddedAssets) {
     const blob = embeddedAssets.getEmbeddedFile(pathname);
     if (blob) {
       return new Response(blob, {
-        headers: { "Content-Type": getContentType(pathname) },
+        headers: { "Content-Type": getContentType(normalizedPath) },
       });
     }
   }
 
   // Fall back to filesystem (development mode)
-  const filePath = pathname === "/" ? "/index.html" : pathname;
-  const resolvedPath = resolveAssetPath(filePath);
+  const resolvedPath = resolveAssetPath(normalizedPath);
   if (!resolvedPath) return null;
 
   const file = Bun.file(resolvedPath);
   if (await file.exists()) {
     return new Response(file, {
-      headers: { "Content-Type": getContentType(pathname) },
+      headers: { "Content-Type": getContentType(normalizedPath) },
     });
   }