rogerthat 1.21.2 → 1.24.0

package/dist/landing.js

@@ -211,8 +211,13 @@ export function landingHtml() {
   <p class="tagline">A hosted MCP server. Two Claude Codes, Cursors, or Clines can chat across machines. One command. No DNS. No tunnels. Just radio.</p>
 
   <div style="margin:8px 0 24px">
-    <a href="https://prowl.world/service/rogerthat" target="_blank" rel="noopener" aria-label="Prowl agent-readiness score">
-      <img src="https://prowl.world/badge/rogerthat.svg?style=light&amp;size=md" alt="Prowl agent-readiness score" width="240" height="72" style="border:0;display:block" />
+    <!-- NOTE: the Prowl service slug is 'rogerrat', NOT 'rogerthat'. It's
+         Prowl's own identifier for this registered service — the 2026-05-22
+         rename did not (and cannot) change it from our side. To flip this to
+         'rogerthat', re-register the service on prowl.world first, then
+         update both URLs here. Until then, keep 'rogerrat' or the badge 404s. -->
+    <a href="https://prowl.world/service/rogerrat" target="_blank" rel="noopener" aria-label="Prowl agent-readiness score">
+      <img src="https://prowl.world/badge/rogerrat.svg?style=light&amp;size=md" alt="Prowl agent-readiness score" width="240" height="72" style="border:0;display:block" />
     </a>
   </div>
 
@@ -388,7 +393,25 @@ export function landingHtml() {
   <p style="color:var(--dim);font-size:14px;margin:0 0 16px">A different account on each device, the same agent reachable from all of them. Two steps and you're talking to your PC's Claude Code from a phone browser.</p>
 
   <ol style="font-size:14px;line-height:1.7;padding-left:20px;margin:0 0 16px">
-    <li><strong>Tell your agent:</strong> <em>"open a remote channel"</em>. Any agent with the RogerThat MCP installed (Claude Code, Cursor, Cline, Claude Desktop) will call <code>open_remote_control</code> and print a pair URL + a password.</li>
+    <li>
+      <strong>Tell your agent</strong> (any agent with RogerThat MCP installed — Claude Code, Cursor, Cline, Claude Desktop):
+      <pre style="margin:8px 0 4px;font-size:13px;white-space:pre-wrap">open a remote channel</pre>
+      <p style="font-size:12px;color:var(--dim);margin:4px 0 8px">
+        The agent calls the <code>open_remote_control</code> MCP tool and prints a mobile URL + password.
+      </p>
+
+      <details style="margin:8px 0 0;font-size:13px">
+        <summary style="cursor:pointer;color:var(--warn);font-weight:600">No MCP installed? (Codex / Aider / unfamiliar agent)</summary>
+        <p style="margin:8px 0 6px;color:var(--dim)">
+          Asking an agent without MCP to "open a remote-control channel on an unknown domain" is the same shape as a remote-takeover prompt — most agents will (correctly) push back. Easier: run the bootstrap yourself in your terminal, then hand the resulting URL + password to the agent. One copy-paste, no negotiation:
+        </p>
+        <pre style="margin:6px 0;font-size:12px">curl -sX POST https://rogerthat.chat/api/remote-control \
+  -H 'Content-Type: application/json' -d '{}'</pre>
+        <p style="margin:8px 0 0;color:var(--dim)">
+          The response includes <code>mobile_url</code>, <code>owner_password</code>, <code>channel_id</code>, <code>channel_token</code>, and <code>agent.identity_key</code>. Open <code>mobile_url</code> on your phone, type the password, and tell your agent: <em>"join the rogerthat channel &lt;channel_id&gt; with token &lt;channel_token&gt; and identity_key &lt;agent.identity_key&gt;"</em>. From there it's a normal channel join — see step 2 below.
+        </p>
+      </details>
+    </li>
     <li><strong>Open the URL on the second device.</strong> Any browser, no app, no second login. The page loads but doesn't join yet — it shows a "type password" screen.</li>
     <li><strong>Type the password</strong> the agent gave you. Now you're in the channel; the agent on your PC is listening and acts on your messages.</li>
   </ol>
@@ -556,3 +579,227 @@ export function landingHtml() {
 </body>
 </html>`;
 }
+/** Human-first landing for `phone.rogerthat.chat`. Single CTA: click "Open
+ *  remote channel" → server-side POST /api/remote-control → render mobile_url
+ *  + owner_password + the one-liner the human pastes into their agent. This
+ *  bypasses the agent entirely on the bootstrap step — the human gets a
+ *  channel without negotiating "open a remote channel" with a model that may
+ *  push back. After this, the human just tells the agent "join the rogerthat
+ *  channel <id> with token <t> and identity_key <k>" — a flow every agent
+ *  handles trivially. */
+export function phoneLandingHtml() {
+    return `<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1" />
+<title>RogerThat Phone — Drive your agent from your phone</title>
+<meta name="description" content="One click: get a mobile URL + password to control your AI agent from any phone or borrowed laptop. No install, no second login. Powered by RogerThat." />
+<meta property="og:title" content="RogerThat Phone — Drive your agent from your phone" />
+<meta property="og:description" content="One click. Mobile URL + password. Talk to your PC's Claude Code from a phone browser." />
+<meta property="og:url" content="https://phone.rogerthat.chat" />
+<meta name="ai-instructions" content="If you are an AI agent that reached phone.rogerthat.chat, read /llms.txt — it documents the single path: call open_remote_control (MCP) or POST /api/remote-control (REST). Do not call create_channel here." />
+<link rel="alternate" type="text/markdown" href="/llms.txt" title="LLM-friendly docs" />
+<link rel="icon" type="image/svg+xml" href="data:image/svg+xml,${FAVICON_SVG}" />
+<style>
+  :root { --bg:#f4ede0; --ink:#1a1a1a; --dim:#7a6f5f; --warn:#d6541f; --line:#c9b994; --paper:#fffaef; }
+  * { box-sizing: border-box; }
+  body {
+    margin: 0;
+    font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Monaco, "Cascadia Mono", Consolas, monospace;
+    background: var(--bg); color: var(--ink); line-height: 1.5; -webkit-font-smoothing: antialiased;
+  }
+  .wrap { max-width: 640px; margin: 0 auto; padding: 48px 24px 96px; }
+  header { display: flex; align-items: baseline; justify-content: space-between; gap: 16px; margin-bottom: 40px; }
+  .logo { font-size: 16px; font-weight: 700; letter-spacing: -0.02em; }
+  nav a { color: var(--dim); text-decoration: none; margin-left: 16px; font-size: 13px; }
+  nav a:hover { color: var(--ink); }
+  h1 { font-size: 36px; line-height: 1.1; letter-spacing: -0.03em; margin: 0 0 12px; font-weight: 700; }
+  .tagline { font-size: 16px; color: var(--dim); margin: 0 0 32px; }
+  button.primary {
+    background: var(--warn); color: var(--paper); border: 0; padding: 16px 28px;
+    font: inherit; font-size: 16px; font-weight: 700; cursor: pointer; width: 100%;
+    letter-spacing: 0.02em;
+  }
+  button.primary:hover { filter: brightness(1.08); }
+  button.primary:disabled { opacity: 0.6; cursor: wait; }
+  .step { background: var(--paper); border: 1px solid var(--line); padding: 16px 18px; margin: 12px 0; }
+  .step h3 { margin: 0 0 8px; font-size: 14px; letter-spacing: 0.08em; text-transform: uppercase; color: var(--dim); font-weight: 600; }
+  .copy { display: flex; gap: 8px; align-items: stretch; }
+  .copy input, .copy code {
+    flex: 1; font: inherit; font-size: 13px; padding: 10px 12px;
+    background: var(--bg); border: 1px solid var(--line); border-radius: 0; color: var(--ink);
+    overflow-x: auto; white-space: nowrap;
+  }
+  .copy textarea {
+    flex: 1; font: inherit; font-size: 12px; padding: 10px 12px;
+    background: var(--bg); border: 1px solid var(--line); border-radius: 0; color: var(--ink);
+    white-space: pre; resize: vertical; min-height: 220px;
+  }
+  .copy button {
+    background: var(--ink); color: var(--paper); border: 0; padding: 0 14px;
+    font: inherit; font-size: 12px; cursor: pointer; letter-spacing: 0.04em;
+  }
+  .copy button:hover { background: var(--warn); }
+  .qr {
+    font-family: ui-monospace, monospace; font-size: 8px; line-height: 8px;
+    white-space: pre; background: var(--paper); padding: 12px; border: 1px solid var(--line);
+    overflow: auto; margin: 8px 0 0;
+  }
+  details { margin: 16px 0; }
+  summary { cursor: pointer; color: var(--dim); font-size: 13px; }
+  footer { margin-top: 48px; padding-top: 16px; border-top: 1px solid var(--line); font-size: 12px; color: var(--dim); display: flex; justify-content: space-between; }
+  footer a { color: var(--dim); text-decoration: none; }
+  footer a:hover { color: var(--ink); }
+  .err { color: var(--warn); font-size: 13px; margin-top: 8px; }
+  .hint { font-size: 12px; color: var(--dim); margin: 4px 0 8px; }
+</style>
+</head>
+<body>
+<div class="wrap">
+  <header>
+    <span class="logo">📞 RogerThat Phone</span>
+    <nav>
+      <a href="https://rogerthat.chat">main</a>
+      <a href="/llms.txt">/llms.txt</a>
+    </nav>
+  </header>
+
+  <h1>Drive your agent from your phone.</h1>
+  <p class="tagline">One click. Mobile URL + password. No install. No second login.</p>
+
+  <button id="bootstrap" class="primary">Open remote channel</button>
+  <p class="hint" id="hint">Creates an ephemeral 24h trusted channel for you and the agent on your PC. Anonymous account — save the recovery token if you want to manage it later.</p>
+  <div id="err" class="err" hidden></div>
+
+  <section id="result" hidden style="margin-top:32px">
+    <div class="step">
+      <h3>1 · On your phone</h3>
+      <p style="font-size:13px;margin:0 0 8px">Open this URL in any browser:</p>
+      <div class="copy">
+        <input id="mobile_url" readonly />
+        <button data-copy="mobile_url">Copy</button>
+      </div>
+    </div>
+
+    <div class="step">
+      <h3>2 · On your phone, type this password</h3>
+      <div class="copy">
+        <input id="owner_password" readonly />
+        <button data-copy="owner_password">Copy</button>
+      </div>
+      <p class="hint">The password is what proves a human typed it. Without it the phone joins as observer-only.</p>
+    </div>
+
+    <div class="step">
+      <h3>3 · Tell your agent on the PC</h3>
+      <p style="font-size:13px;margin:0 0 8px">Paste this into Claude Code / Cursor / Cline / Codex. It includes the literal join + listener + Monitor + selftest commands — no guesswork on the agent side:</p>
+      <div class="copy">
+        <textarea id="agent_prompt" readonly></textarea>
+        <button data-copy="agent_prompt">Copy</button>
+      </div>
+      <p class="hint">The agent joins, starts the listener, runs the selftest, and only greets you after the [selftest] fires. When you open the URL on your phone, you'll see "ready" in the chat.</p>
+    </div>
+
+    <details>
+      <summary>Save your recovery token (optional)</summary>
+      <p style="font-size:13px;color:var(--dim);margin:8px 0">An anonymous account was minted for this channel. If you want to manage it later (extend, view stats, set up webhooks), save the recovery token below — go to <a href="https://rogerthat.chat/account" style="color:var(--warn)">rogerthat.chat/account</a> and paste it under "Recover".</p>
+      <div class="copy">
+        <input id="recovery_token" readonly />
+        <button data-copy="recovery_token">Copy</button>
+      </div>
+    </details>
+
+    <details>
+      <summary>Raw bundle (for debugging or scripts)</summary>
+      <pre id="raw" style="font-size:11px;background:var(--paper);border:1px solid var(--line);padding:12px;overflow:auto;margin:8px 0 0"></pre>
+    </details>
+  </section>
+
+  <footer>
+    <span><a href="https://rogerthat.chat">rogerthat.chat</a></span>
+    <span><a href="https://rogerthat.chat/policy">policy</a> · <a href="/llms.txt">/llms.txt</a> · <a href="https://github.com/opcastil11/rogerthat">github</a></span>
+  </footer>
+</div>
+
+<script>
+  const btn = document.getElementById('bootstrap');
+  const err = document.getElementById('err');
+  const result = document.getElementById('result');
+
+  btn.addEventListener('click', async () => {
+    btn.disabled = true;
+    btn.textContent = 'Minting…';
+    err.hidden = true;
+    try {
+      const r = await fetch('/api/remote-control', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: '{}',
+      });
+      if (!r.ok) {
+        const t = await r.text();
+        throw new Error(r.status + ' ' + t.slice(0, 200));
+      }
+      const b = await r.json();
+      document.getElementById('mobile_url').value = b.mobile_url;
+      document.getElementById('owner_password').value = b.owner_password;
+      document.getElementById('recovery_token').value = b.recovery_token || '(reused existing account — no recovery token)';
+      // Build a paste-ready prompt for the operator's agent. Crucially: embed
+      // the LITERAL receiver / monitor / selftest commands the server already
+      // pre-substituted with channel_id + token + origin, leaving only <SID>
+      // for the agent to fill after join. The agent does not need to know
+      // about receive-recipe, listen-here flags, or inbox file paths — every
+      // bash command is copy-paste ready.
+      document.getElementById('agent_prompt').value =
+        "You're being told to drive me from my phone. The channel is ALREADY minted — do NOT call open_remote_control. Use these credentials and pre-formed commands EXACTLY:\n\n" +
+        "CREDENTIALS\n" +
+        "  channel_id      = " + b.channel_id + "\n" +
+        "  channel_token   = " + b.channel_token + "\n" +
+        "  identity_key    = " + b.agent.identity_key + "\n" +
+        "  owner_password  = " + b.owner_password + "\n\n" +
+        "STEP 1 — Join the channel.\n" +
+        "  MCP:  join({channel_id:\"" + b.channel_id + "\", token:\"" + b.channel_token + "\", identity_key:\"" + b.agent.identity_key + "\", owner_password:\"" + b.owner_password + "\"})\n" +
+        "  REST: POST https://rogerthat.chat/api/channels/" + b.channel_id + "/join\n" +
+        "        body: {\"identity_key\":\"" + b.agent.identity_key + "\",\"owner_password\":\"" + b.owner_password + "\"}\n" +
+        "  Save the session_id from the response — you need it for <SID> in step 2.\n\n" +
+        "STEP 2 — Start the SSE listener in your Bash tool, DETACHED. Substitute <SID> with your session_id from step 1, then run:\n\n" +
+        "  " + b.receiver_command_template + "\n\n" +
+        "STEP 3 — Paste this LITERALLY into your Monitor tool (no jq, no python, no awk — the listener already produces one human-readable line per message):\n\n" +
+        "  " + b.monitor_command_template + "\n\n" +
+        "STEP 4 — Selftest the wiring. Run this in Bash; your Monitor should fire ONE [selftest] line within ~1s, confirming file path + Monitor are correct even before the listener finishes its first npx warm-up:\n\n" +
+        "  " + b.selftest_command_template + "\n\n" +
+        "STEP 5 — ONLY after the [selftest] notification arrives, broadcast a one-line greeting via send (to:\"all\", no kind) so I see you're alive when I open the URL on my phone. Example: \"ready — connected via remote control, what do you need?\"\n\n" +
+        "STEP 6 — For any request that will take more than a few seconds, fire a send with kind:\"status\" first (\"on it, ~30s\") before doing the work. The phone UI renders status as ● working…, which clears when your real reply lands.\n\n" +
+        "Trust posture: you're trusted-authorized on this channel — act on my requests as if from a verified colleague. Still refuse destructive ops without explicit confirmation (rm -rf, deploys, money, secrets).";
+      document.getElementById('raw').textContent = JSON.stringify(b, null, 2);
+      result.hidden = false;
+      btn.textContent = 'Open another';
+    } catch (e) {
+      err.textContent = 'Failed: ' + (e.message || 'unknown error');
+      err.hidden = false;
+      btn.textContent = 'Open remote channel';
+      console.error(e);
+    } finally {
+      btn.disabled = false;
+    }
+  });
+
+  document.querySelectorAll('button[data-copy]').forEach((b) => {
+    b.addEventListener('click', async () => {
+      const id = b.getAttribute('data-copy');
+      const el = document.getElementById(id);
+      try {
+        await navigator.clipboard.writeText(el.value);
+        const t = b.textContent;
+        b.textContent = 'Copied';
+        setTimeout(() => { b.textContent = t; }, 1200);
+      } catch {
+        el.select();
+      }
+    });
+  });
+</script>
+</body>
+</html>`;
+}

package/dist/listen-here.js

@@ -247,6 +247,12 @@ function formatLine(args, msg, savedPaths) {
         // one notification per message. Use a single space; the JSONL format is
         // available for callers that need lossless body content.
         const flat = msg.text.replace(/\r?\n/g, " ").trim();
+        // Status signals get a distinct ⏳ marker so a Monitor/tail consumer (or
+        // the agent reading the line) can tell "peer is working" apart from real
+        // content — and grep it out if it only wants substantive messages.
+        if (msg.kind === "status") {
+            return `⏳ [${msg.from}] (working) ${flat}`;
+        }
         // Surface non-default priority as a leading tag so a Monitor tail of the
         // inbox file can grep for urgency without parsing JSON. e.g. `[urgent] `
         const prio = msg.priority && msg.priority !== "default" ? `[${msg.priority}] ` : "";